AGENCY:

Department of Health and Human Services (HHS).

ACTION:

Final rule.

SUMMARY:

The Department of Health and Human Services (HHS or Department) is issuing this final rule to make effective the exemptions that HHS proposed for certain records covered in a new Privacy Act system of records, System No. 09-90-1701, HHS Insider Threat Program Records.

DATES:

This final rule is effective April 11, 2019.

FOR FURTHER INFORMATION CONTACT:

Michael W. Schmoyer, Assistant Deputy Secretary for National Security by email at insiderthreat@hhs.gov or telephone at (202) 690-5756, or by mail to the HHS Office of Security and Strategic Information (OSSI), 200 Independence Ave. SW, Washington, DC 20201.

SUPPLEMENTARY INFORMATION:

In accordance with 5 U.S.C. 552a (Privacy Act or Act), the exemptions were described in a Notice of Proposed Rulemaking (NPRM) published for public notice and comment at 83 FR 42627 (Aug. 23, 2018). The new system of records is described in a System of Records Notice (SORN) which was published for public notice and comment the same day, at 83 FR 42667 (Aug 23, 2018). Only law enforcement investigatory material and classified intelligence information were proposed to be exempted, based on subsections (k)(1) and (k)(2) of the Act, from the requirements contained in subsections (c)(3), (d)(1)-(4), (e)(1), (e)(4)(G), (H), and (I), and (f) of the Act, which require the agency to provide an accounting of disclosures; provide notification, access, and amendment rights, rules, and procedures; maintain only relevant and necessary information; and identify categories of record sources. The NPRM also explained that if the HHS Insider Threat Program obtains law enforcement investigatory material from another Privacy Act system of records that has been exempted from Privacy Act requirements based on subsection (j)(2) of the Act, that material will be exempt in System No. 09-90-1701 to the same extent it is exempt in the source system, so it may be exempt from requirements in any of these subsections of the Act: (c)(3)-(4); (d)(1)-(4); (e)(1)-(3), (e)(4)(G)-(I), (e)(5), (e)(8), (e)(12); (f); (g); and (h).

The comment period for the SORN and NPRM was open through September 24, 2018. No comments were received on the NPRM and no comments were received on the SORN. No changes to the proposed exemptions or to the SORN were made following the public comment period.

The specific rationales that support the exemptions as to each affected Privacy Act provision, remain as stated in the NPRM; the exemptions from the particular subsections are necessary and appropriate, and justified for the following reasons:

• 5 U.S.C. 552a(c)(3) (the requirement to provide accountings of disclosures) and 5 U.S.C. 552a(d)(1)-(4) (requirements addressing notification, access, and amendment rights, collectively referred to herein as access requirements). Providing individual record subjects with accountings of disclosures and with notification, access, and amendment rights with respect to Insider Threat Program records could reveal the existence of an investigation, investigative interest, investigative techniques, details about an investigation, security-sensitive information such as information about security measures and security vulnerabilities, information that must remain non-public to protect national security or personal privacy-identities of law enforcement personnel, or other sensitive or classified information. Revealing such information to record subjects would thwart or impede pending and future law enforcement investigations and efforts to protect national security, and would violate personal privacy. Revealing the information would enable record subjects or other persons to evade detection and apprehension by security and law enforcement personnel; destroy, conceal, or tamper with evidence or fabricate testimony; or harass, intimidate, harm, coerce, or retaliate against witnesses, complainants, investigators, security personnel, law enforcement personnel, or their family members, their employees, or other individuals. With Start Printed Page 14623respect to investigatory material compiled for law enforcement purposes, the exemption pursuant to 5 U.S.C. 552a(k)(2) from access requirements in subsection (d) of the Act is statutorily limited. If any individual is denied a right, privilege, or benefit to which the individual would otherwise be entitled by federal law or for which the individual would otherwise be eligible, access will be granted, except to the extent that the disclosure would reveal the identity of a source who furnished information to the Government under an express promise of confidentiality.
• 5 U.S.C. 552a(e)(1) (the requirement to maintain only relevant and necessary information authorized by statute or Executive Order). It will not always be possible to determine at the time information is received or compiled in this system of records whether the information is or will be relevant and necessary to a law enforcement investigation or to protecting national security. For example, a tip or lead that does not appear relevant or necessary to uncovering an insider threat by itself or at the time the tip or lead is received may prove to be relevant and necessary when combined with other information that reveals a pattern or that comes to light later.
• 5 U.S.C. 552a(e)(4)(G) and (H) (the requirements to describe procedures by which subjects may be notified of whether the system of records contains records about them and seek access or amendment of a record). These requirements concern individual access to records, and the records are exempt under (c) and (d), as described above. To the extent that (e)(4)(G) and (H) are interpreted to require more detailed procedures regarding record notification, access, or amendment than have been published in the Federal Register, exemption from those provisions is necessary for the same rationale as applies to (c) and (d).
• 5 U.S.C. 552a(e)(4)(I) (the requirement to describe the categories of record sources). To the extent that this subsection is interpreted to require a more detailed description regarding the record sources in this system than has been published in the Federal Register, exemption from this provision is necessary to protect the sources of law enforcement and intelligence information and to protect the privacy and safety of witnesses and informants and others who provide information to HHS. Further, greater specificity of sources of properly classified records could compromise national security. Moreover, because records used in the Insider Threat Program could come from any source, it is not possible to know every category in advance in order to list them all in the SORN. Some record source categories may not be appropriate to make public in the SORN if, for example, revealing them could enable record subjects or other individuals to discover investigative techniques and devise ways to bypass them to evade detection and apprehension.
• 5 U.S.C. 552a(f) (the requirement to promulgate rules to implement provisions of the Privacy Act). To the extent that this subsection is interpreted to require agency rules addressing the above exempted requirements, exemption from this provision is also necessary to protect the sources of law enforcement and intelligence information and to protect the privacy and safety of witnesses and informants and others who provide information to HHS. Greater specificity in rulemaking regarding properly classified records could compromise national security.

Accordingly, based on 5 U.S.C. 552a(k)(1) and (k)(2) and the specific rationales indicated above, HHS is now exempting law enforcement investigatory material and classified intelligence information in system of records 09-90-1701 HHS Insider Threat Program Records from subsections (c)(3), (d)(1)-(4), (e)(1), (e)(4)(G), (H), and (I), and (f) of the Act, which contain requirements to provide an accounting of disclosures; provide notification, access, and amendment rights, rules, and procedures; maintain only relevant and necessary information; and identify categories of record sources. In addition, HHS affirms that if the HHS Insider Threat Program obtains law enforcement investigatory material from another Privacy Act system of records that has been exempted from Privacy Act requirements based on subsection (j)(2) of the Act, that material will be exempt in System No. 09-90-1701 to the same extent it is exempt in the source system.

Notwithstanding these exemptions, consideration will be given to any requests for notification, access, and amendment that are addressed to the System Manager, as provided in the SORN for system of records 09-90-1701, and to accounting of disclosure requests. Where HHS determines that compliance with a request would not interfere with or adversely affect the purpose of this system of records to detect, deter, or mitigate insider threats, the applicable exemption may be waived by HHS in its sole discretion.

The Federal Register notice containing the SORN proposed for new system of records 09-90-1701 provides for that SORN to be effective upon publication of this final rule. No changes were made to the SORN as a result of public comments and, therefore, the SORN, as published at 83 FR 42667 (Aug. 23, 2018), is now effective.

Analysis of Impacts

The agency has reviewed this rule under Executive Orders 12866 and 13563, which direct agencies to assess costs and benefits of available regulatory alternatives and, if regulation is necessary, to maximize the net benefits. The agency believes that this rule is not a significant regulatory action under Executive Order 12866, and therefore does not constitute an Executive Order 13771 regulatory action, because it will not (1) have an annual effect on the economy of $100 million or more or adversely affect in a material way the economy, a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or state, local or tribal governments or communities; (2) create a serious inconsistency or otherwise interfere with an action taken or planned by another agency; (3) materially alter the budgetary impact of entitlements, grants, user fees or loan programs, or the rights and obligations of recipients thereof; or (4) raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in Executive Order 12866.

The Regulatory Flexibility Act requires agencies to analyze regulatory options that would minimize any significant impact of a rule on small entities. Because the rule imposes no duties or obligations on small entities, the Department certifies that the rule will not have a significant economic impact on a substantial number of small entities.

Section 202(a) of the Unfunded Mandates Reform Act of 1995 requires that agencies prepare a written statement, which includes an assessment of anticipated costs and benefits, before proposing “any rule that includes any Federal mandate that may result in the expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100,000,000 or more (adjusted annually for inflation) in any one year.” The current threshold after adjustment for inflation is $144 million, using the most current (2015) Implicit Price Deflator for the Gross Domestic Product. The Department does not expect that this final rule would result in any one-year expenditure that would meet or exceed this amount.

List of Subjects in 45 CFR Part 5b

• Privacy

For the reasons stated in the preamble, the Department amends part 5b of title 45 of the Code of Federal Regulations as follows:

PART 5b—PRIVACY ACT REGULATIONS

1. The authority citation for part 5b continues to read as follows:

Authority: 5 U.S.C. 301, 5 U.S.C. 552a.

2. Section 5b.11 is amended by adding paragraph (b)(2)(viii)(A) and reserved paragraph (b)(2)(viii)(B) to read as follows: