AGENCY:

Office of Policy Development and Research, HUD.

ACTION:

Notice of a new system of records.

SUMMARY:

Pursuant to the Privacy Act of 1974, as amended, notice is hereby given that the Office of Policy Development and Research (PD&R), U.S. Department of Housing and Urban Development (HUD), provides public notice regarding its System of Records for the HUD Supportive Services Demonstration (SSD)/Integrated Wellness in Supportive Housing (IWISH). The demonstration will test a model of housing and supportive services in HUD-assisted Multifamily housing with the potential to delay or avoid nursing home care for low-income elderly residents in HUD-assisted housing. Primary data collection includes a Resident Assessment and uses a standardized, web-based platform to capture and store self-reported demographic and health and social status information from demonstration participants, including personally identifying information (PII) and protected health information (PHI). A more detailed description of the proposed system of records is contained in the purpose section of this notice.

DATES:

This notice will become applicable March 19, 2018.

ADDRESSES:

You may submit comments, identified by docket number and title by one of the following methods: Interested persons are invited to submit comments regarding this notice to the Rules Docket Clerk, Office of General Counsel, Department of Housing and Urban Development, 451 Seventh Street SW, Room 10276, Washington, DC 20410. Comments may be filed electronically by accessing: www.regulations.gov. Regulations.gov provides clear instructions on how to submit a public comment on a rule. Communications should refer to the above docket number and title. Faxed comments are not accepted. A copy of each communication submitted will be available for public inspection and copying between 8 a.m. and 5 p.m. weekdays at the above address.

FOR FURTHER INFORMATION CONTACT:

John Bravacos, Senior Agency Official for Privacy, at 451 7th Street SW, Room 10139; U.S. Department of Housing and Urban Development; Washington, DC 20410-0001; telephone number 202-708-3054 (this is not a toll-free number). Individuals who are hearing- or speech-impaired may access this telephone number via TTY by calling the Federal Relay Service at 800-877-8339 (this is a toll-free number).

SUPPLEMENTARY INFORMATION:

The new System of Records will encompass data collected by PD&R to implement the HUD Supportive Services Demonstration (SSD)/Integrated Wellness in Supportive Housing (IWISH). HUD's Office of Policy Development and Research and Office of Multifamily Housing, are launching the Supportive Services Demonstration (SSD), which was authorized under the Fiscal Year 2014 Consolidated Appropriations Act.

The demonstration will test a model of housing and supportive services with the potential to delay or avoid nursing home care for low-income elderly residents in HUD-assisted Multifamily housing. The 3-year demonstration will be implemented in 40 HUD-assisted multifamily properties in California, Illinois, Maryland, Massachusetts, Michigan, New Jersey, and South Carolina. Each property will enter into a cooperative agreement with HUD's Office of Multifamily Housing and receive funds to employ a Resident Wellness Director and Wellness Nurse to assess elderly residents' social service and healthcare needs, connect residents with services, and liaise with providers.

The Resident Wellness Director and Wellness Nurse teams will conduct a Resident Assessment and use a standardized, web-based platform to capture and store self-reported demographic and health and social status information from demonstration participants, including personally identifying information (PII) and protected health information (PHI). The web-based platform, Population Health Logistics (PHL), is provided by Preferred Population Health Management, LLC (PPHM). HUD has a contract with The Lewin Group to support the implementation of the Supportive Services Demonstration; The Lewin Group has a subcontract with PPHM to use PHL for the demonstration.

The new notice states the name and location of the record system, the authority for and manner of its operations, the categories of individuals that it covers, the type of records that it contains, the sources of the information for the records, the routine uses made of the records, and the types of exemptions in place for the records. The notice also includes the business address of the HUD officials who will inform interested persons of how they may gain access to and/or request amendments to records pertaining to themselves.

Publication of this notice allows the Department to provide new information about its system of records notices in a clear and cohesive format. The new system of records will incorporate Federal privacy requirements and Department's policy requirements. The Privacy Act places on Federal agencies principal responsibility for compliance with its provisions, by requiring Federal agencies to safeguard an individual's records against an invasion of personal privacy; protect the records contained in an agency system of records from unauthorized disclosure; ensure that the records collected are relevant, necessary, current, and collected only for their intended use; and adequately Start Printed Page 6876safeguard the records to prevent misuse of such information. In addition, this notice demonstrates the Department's focus on industry best practices to protect the personal privacy of the individuals covered by this SORN.

Pursuant to the Privacy Act and the Office of Management and Budget (OMB) guidelines, a report of the system of records was submitted to OMB, the Senate Committee on Homeland Security and Governmental Affairs, and the House Committee on Oversight and Government Reform, as instructed by paragraph 7a of OMB Circular No. A-108, “Federal Agencies Responsibilities for Review, Reporting, and Publication under the Privacy Act,” December 23, 2016.

System Name and Number

HUDIPHL Supportive Services Demonstration Data Collection Platform.

SECURITY CLASSIFICATION:

No information in the system is classified.

SYSTEM LOCATION:

Records are stored on Microsoft Azure secure cloud servers administered by Preferred Population Health Management, LLC (PPHM). All data is stored in the Microsoft Azure platform. The primary datacenter is located in Chicago, while the geo-redundant datacenter is in California.

System Manager(s):

Carol S. Star, Program Evaluation Division, Office of Policy Development and Research, U.S. Department of Housing and Urban Development, 451 7th Street SW, Washington, DC 20410; telephone number 202-402-6139 (this is not a toll-free number).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Sec. 501 and 502 of the Housing and Urban Development Act of 1970 (Pub. L. 91-609), 12 U.S.C. 1701z-1, 1701z-2.

PURPOSE(S) OF THE SYSTEM:

As an essential part of the Supportive Services Demonstration, Resident Wellness Director and Wellness Nurse teams will conduct a Resident Assessment and use a standardized, third-party web-based platform to capture and store self-reported demographic and health and social status information from demonstration participants, including personally identifying information (PII) and protected health information (PHI).

Use of this platform is essential to the successful implementation of the demonstration because Resident Wellness Directors and Wellness Nurses must be able to adequately assess and track residents' needs, monitor referrals, and ensure access to providers.

The demonstration also requires a web-based platform to support program development and performance monitoring, as well as evaluation efforts. This requires standardized, adaptable, accessible and easy to use web-based platform to administer assessments, securely house and track data, quality assurance measures and outcomes, and produce reports throughout the three-year demonstration period.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Data will be collected from residents who live in 40 HUD-assisted Multifamily housing properties in California, Illinois, Maryland, Massachusetts, Michigan, New Jersey and South Carolina. The vast majority of individuals will be HUD-assisted seniors aged 62 or older.

CATEGORIES OF RECORDS IN THE SYSTEM:

• Participant Details: Full Name, Address, Phone, Email, Date of Birth, Social Security Number, Ethnicity, Race, Gender, Marital Status, Spoken Language, Veteran Status, Consent Form Status
• Household Members
• Emergency Contacts
• Advanced Directives and Powers of Attorney
• Insurance Information
• Clinician Information
• Specialist Information
• Hospital Information
• Service Needs
• Case Manager Information
• Caregiver Information
• Pre-Screens
• Medications
• Health Conditions
• Surgical History Conditions
• Allergies
• Immunizations
• Vitals
• Pain Scale
• Vision/Dental Health/Foot Practice Assessment
• Functional Assessment
• Smoking Assessment
• Nutrition Assessment
• Falls Risk Assessment
• Additional Depression Screening Using the PHQ-9 or the GDS-S
• Generalized Anxiety Disorder Scale (GAD-7)
• Drug and Alcohol Screening Tool (DAST-10)
• Short Michigan Alcoholism Screening Test—Geriatric Version (SMAST-G)
• Mini-Cog

RECORD SOURCE CATEGORIES:

Residents in HUD-assisted Multifamily 40 housing properties in California, Illinois, Maryland, Massachusetts, Michigan, New Jersey and South Carolina who have agreed to participate in the Demonstration.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

In addition to those disclosures generally permitted under 5 U.S.C. Section 552a(b) of the Privacy Act, all or a portion of the records or information contained in this system may be disclosed outside HUD as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

To appropriate agencies, entities, and persons for disclosures compatible with the purpose for which the records in this system were collected, as set forth by Appendix I—HUD's Routine Use Inventory Notice, 80 FR 81837 (December 31, 2015).

1. To the National Archives and Records Administration or to the General Services Administration for records having enough historical or other value to warrant continued preservation by the United States Government, or for inspection under Title 44 U.S.C. 2904 and 2906.

2. To a congressional office from the record of an individual, in response to an inquiry from that congressional office made at the request of that individual.

3. To contractors performing or working under a contract with HUD, when necessary to accomplish an agency function related to this system of records. Disclosure requirements are limited to only those data elements considered relevant to accomplishing an agency function. Individuals provided information under these routine use conditions are subject to Privacy Act requirements and disclosure limitations imposed on the Department.

4. To the Department of Justice (DOJ) when seeking legal advice for a HUD initiative or in response to DOD's request for the information, after either HUD or DOJ determine that such information relates to DOJ's representation of the United States or any other components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that disclosure of the records to DOJ is a .use of the information in the records that is compatible with the purpose for which HUD collected the records. HUD on its own may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information Start Printed Page 6877contained in the records that is compatible with the purpose for which HUD collected the records.

5. To contractors, grantees, experts, consultants, Federal agencies, and non-Federal entities including but not limited to state and local governments, with whom I-IUD has a contract, service agreement, grant, or cooperative agreement. The records may not be used to make decisions concerning the rights, benefits, or privileges of specific individuals, or providers of services with respect to a homeless individual's efforts.

6. To appropriate agencies, entities, and persons when: (a) HUD suspects or has confirmed that the security or confidentiality of information in a system of records has been compromised; (b) HUD has determined that, as a result of the suspected or confirmed compromise, there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of systems or programs (whether maintained by HUD or another agency or entity) that rely upon the compromised information; and (c) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HUD's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm for purposes of facilitating responses and remediation efforts in the event of a data breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Records are stored on Microsoft Azure secure cloud servers administered by Preferred Population Health Management, LLC (PPHM). All data is stored in a secure datacenter. The primary datacenter is located in Chicago, while the geo-redundant datacenter is in California. The data management at the facility is built with multiple layers of security and follows best practices for securing sensitive data. Any paper-based records (e.g. printed Resident Assessment forms) will be stored in a locked file cabinet, in private offices, at the housing property. Staff will be trained on proper confidentiality and privacy acts prior to enrolling participants.

Records in PHL will be retained throughout the 3-year demonstration period and destroyed at the end of the implementation contract. Prior to destruction of the data, housing property sites will be given an opportunity to continue using PHL outside of the demonstration, with no further involvement from HUD. Many housing providers use similar data platforms to collect resident PII. If housing sites elect to use PHL after the demonstration period, they may do so, but will have to enter in to their own licensing agreements with PHL. Resident Wellness Directors may retain their own records in accordance with Chapter 8 of the Office of Multifamily Housing Management Agent Handbook, which covers the roles and responsibilities of the traditional Service Coordinator Program.

As part of the contract supporting the implementation of the SSD, the implementation contractor is expected to fully cooperate with the evaluation team and share data as necessary. Privacy and security measures governing any data that is transferred to the evaluation contractor will be covered in the evaluation contract and associated SORN.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records will be retrieved by SSD staff (Resident Wellness Directors and Wellness Nurses) to maintain accuracy of data and to verify various program components. Staff will have unique identifiers which will provide them access to only the participants within their property. PHL user logins are tracked and each login is given a unique session ID. Sessions are marked inactive when users log out of the system.

Records will also be retrieved by HUD funded contractors to monitor program performance and model fidelity for the duration of the demonstration. HUD contractors will have unique identifiers which will provide them access to both property and participant-level records.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Records in PIE, will be retained throughout the three-year demonstration period and destroyed at the end of the implementation contract. Prior to destruction of the data, housing property sites will be given an opportunity to continue using PHL outside of the demonstration, with no further involvement from HUD. If housing sites elect to use PHL after the demonstration period, they may do so, but will have to enter in to their own licensing agreements with PHL. Resident Wellness Directors may retain their own records in accordance with Chapter 8 of the Office of Multifamily Housing Management Agent Handbook, which covers the roles and responsibilities of the traditional Service Coordinator Program.

As part of the contract supporting the implementation of SSD, the implementation contract is expected to fully cooperate with the evaluation team and share data as necessary. Privacy and security measures governing any data that are transferred to the evaluation contractor are covered by the evaluation contract.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

The data management at the facility is built with multiple layers of security and follows best practices for securing sensitive data. The main levels of security include: Media and server physical security in the data center, data user access controls, and virtual server security. The data center is physically located within a building having limited, electronic passkey access in addition to physical sign in and identification with security staff. Physical access to the data center is limited to data center staff and few key personnel. Physical access requires photo identification, access cards and passwords along with manual sign in and sign out procedures. The data center is monitored on a 24x7 basis. Desktop computers and laptops in offices outside the data center do not store any data. These user end-points are encrypted, password protected, protected by hardware firewalls and antivirus software. Periodic security audits of all computers are performed along with vulnerability audits. Access to the data on the servers that reside inside the datacenter is limited to access through secure Virtual Private Networks (VPNs).

Access to any server, security, storage, backup, and infrastructure equipment is monitored, restricted to only those with a need-to-have system access, including being secured by administrative password and authentication methods. Data access is limited to data analysts and key members of the IT staff. Prior to receiving PHI access, all staff members will receive HIPAA training and abide by security procedures developed by the management. Each user (e.g., Resident Wellness Directors and Wellness Nurses) are assigned as user type that administrators are able to assign to individual users; users will only have access to the data of the residents they are working with, and no access to data from other sites. PHL also records the user, time, and items clicked on or visited throughout PHL. All staff members are required to sign and abide by data security and privacy agreements required by PHL, as well as HUD policies.

RECORD ACCESS PROCEDURES:

For information, assistance, or inquiry about records, contact John Bravacos, Start Printed Page 6878Senior Agency Official for Privacy, at 451 7th Street SW, Room 10139; U.S. Department of Housing and Urban Development; Washington, DC 20410-0001, telephone number 202-708-3054 (this is not a toll-free number). When seeking records about yourself from this system of records or any other Housing and Urban Development (HUD) system of records, your request must conform with the Privacy Act regulations set forth in 24 CFR part 16. You must first verify your identity, meaning that you must provide your full name, address, and date and place of birth. You must sign your request, and your signature must either be notarized or submitted under 28 U.S.C. 1746, a law that permits statements to be made, under penalty of perjury, as a substitute for notarization. In addition, your request should: Explain why you believe HUD would have information on you.

a. Identify which Office of HUD you believe has the records about you.

c. Specify when you believe the records would have been created.

d. Provide any other information that will help the Freedom of Information Act (FOIA) staff determine which HUD office may have responsive records.

If your request is seeking records pertaining to another living individual, you must include a statement from that individual certifying their agreement for you to access their records. Without the above information, the HUD FOIA Office may not conduct an effective search, and your request may be denied due to lack of specificity or lack of compliance with regulations.

CONTESTING RECORD PROCEDURES:

The Department's rules for contesting contents of records and appealing initial denials appear in 24 CFR part 16, Procedures for Inquiries. Additional assistance may be obtained by contacting John Bravacos, Senior Agency Official for Privacy, at 451 7th Street SW, Room 10139; U.S. Department of Housing and Urban Development; Washington, DC 20410-0001, or the HUD Departmental Privacy Appeals Officers; Office of General Counsel; U.S. Department of Housing and Urban Development; 451 7th Street SW, Washington DC 20410-0001.

NOTIFICATION PROCEDURES:

Individual wishing to determine to whether this system of records contains information about them may do so by contacting their lending institutions or contacting HUD's Privacy Officer or Freedom of Information Act Office at the addresses above.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

History: None.