83 FR 11213 - Privacy Act of 1974; System of Records

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Federal Register Volume 83, Issue 50 (March 14, 2018)

Page Range		11213-11217
FR Document		2018-05176
In accordance with the requirements of the Privacy Act of 1974, as amended, HHS is altering an existing department-wide system of records, ``Records About Restricted Dataset Requesters,'' System Number 09-90-1401. This system of records covers records about individuals within and outside HHS who request restricted datasets and software products from HHS (e.g., for health-related scientific research and study purposes), when HHS maintains the requester records in a system from which they are retrieved directly by an individual requester's name or other personal identifier. The system of records currently covers records maintained by three HHS Operating Divisions. It is being altered to include records maintained by a fourth Operating Division, the National Institutes of Health (NIH), and to include three revised and five new routine uses, some of which will apply to all records in the system and some of which will apply to only NIH's records. The alterations affect the System Locations, Legal Authorities, Purposes, Retention, System Manager, and Routine Uses sections of the System of Records Notice (SORN).
Federal Register, Volume 83 Issue 50 (Wednesday, March 14, 2018)
[Federal Register Volume 83, Number 50 (Wednesday, March 14, 2018)]
[Notices]
[Pages 11213-11217]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2018-05176]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES


Privacy Act of 1974; System of Records

AGENCY: Office of the Secretary (OS), Department of Health and Human 
Services (HHS).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, as amended, HHS is altering an existing department-wide system of 
records, ``Records About Restricted Dataset Requesters,'' System Number 
09-90-1401. This system of records covers records about individuals 
within and outside HHS who request restricted datasets and software 
products from HHS (e.g., for health-related scientific research and 
study purposes), when HHS maintains the requester records in a system 
from which they are retrieved directly by an individual requester's 
name or other personal identifier. The system of records currently 
covers records maintained by three HHS Operating Divisions. It is being 
altered to include records maintained by a fourth Operating Division, 
the National Institutes of Health (NIH), and to include three revised 
and five new routine uses, some of which will apply to all records in 
the system and some of which will apply to only NIH's records. The 
alterations affect the System Locations, Legal Authorities, Purposes, 
Retention, System Manager, and Routine Uses sections of the System of 
Records Notice (SORN).

DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is 
applicable March 14, 2018, subject to a 30-day period in which to 
comment on the new and revised routine uses, described below. Please 
submit any comments by April 13, 2018.

ADDRESSES: The public should submit written comments, by mail or email, 
to Beth Kramer, HHS Privacy Act Officer, 200 Independence Avenue SW, 
Suite 729H, Washington, DC 20201, or beth.kramer@hhs.gov. Comments 
received will be available for review at this location without 
redaction, unless otherwise advised by the commenter. To review 
comments in person, please contact Beth Kramer at beth.kramer@hhs.gov 
or (202) 690-6941.

FOR FURTHER INFORMATION CONTACT: General questions about the system of 
records should be submitted by mail, email, or phone to Beth Kramer, 
HHS Privacy Act Officer, at 200 Independence Avenue SW, Suite 729H, 
Washington, DC 20201; beth.kramer@hhs.gov or (202) 690-6941.

SUPPLEMENTARY INFORMATION: This department-wide system of records was 
established April 2015 (see 80 FR 17447) and has not been previously 
revised. It covers records about individuals within and outside HHS who 
request restricted datasets and software products from HHS, when HHS 
maintains the requester records in a system from which they are 
retrieved directly by an individual requester's name or other personal 
identifier. It currently includes records maintained by three HHS 
Operating Divisions. It is being revised to add records maintained by a 
fourth Operating Division, the National Institutes of Health (NIH), 
which NIH plans to begin retrieving directly by personal identifier, 
and to include three revised and five new routine uses, some of which 
will apply to all records in the system and some of which will apply to 
only NIH's records.
    The alterations made to add NIH's records affect the System 
Location, Legal Authorities, Purposes, Retention, System Manager, and 
Routine Uses sections of the System of Records Notice (SORN). One new 
purpose was added to the ``Purposes'' section, which will apply to all 
records, not just NIH records, stating that records may be used to 
evaluate accomplishment of HHS functions related to the purposes of 
this system of records and to evaluate performance of contractors 
utilized by HHS to accomplish those functions. Minor wording and 
formatting changes have been made throughout the SORN to conform to the 
SORN template prescribed in OMB Circular A-108. The new and revised 
routine uses are as follows:
     Routine use 1 has been revised to add ``including 
ancillary functions, such as compiling reports and evaluating program 
effectiveness and contractor performance.''
     Routine use 2 has been revised to add ``including 
ancillary functions'' and to add a last sentence stating: ``For 
example, disclosure may be made to qualified experts not within the 
definition of HHS employees as prescribed in HHS regulations, for 
opinions as a part of the controlled data access process.''
     Routine use 10 has been revised to use wording prescribed 
in OMB Memorandum M-17-12 issued January 3, 2017.
     Routine uses 11 through 15 are new. Routine use 11 is a 
new routine use prescribed by OMB Memorandum M-17-12.
    ``Restricted'' datasets and software products are those that HHS 
makes affirmatively available to qualified members of the public but 
provides subject to restrictions, because they contain identifiable 
data and/or anonymized data that has the potential, when combined with 
other data, to identify the particular individuals, such as patients or 
providers, whose information is represented in the data. The datasets 
and products are made available through an on-line or paper-based 
ordering and delivery system that provides them to qualified requesters 
electronically or by mail.
    The restrictions are necessary to protect the privacy of 
individuals whose information is represented in the datasets or 
software products. The restrictions typically limit the data requester 
to using the data for research, analysis, study, and aggregate 
statistical reporting; prohibit any attempt to identify any individual 
or establishment represented in the data; and require specific security 
measures to safeguard the data from unauthorized access. HHS is 
required by law to impose, monitor, and enforce the restrictions (see, 
for example, provisions in the Confidential Information Protection and 
Statistical Efficiency Act of 2002 (CIPSEA), 44 U.S.C. 3501 at note). 
To impose and

[[Page 11214]]

enforce the restrictions, it is necessary to collect information about 
the data requesters.
    The altered system of records will cover requester records 
retrieved by requesters' personal identifiers in the following four 
systems or any successor systems, but only to the extent that the 
records pertain to requesters seeking restricted datasets:
     Agency for Healthcare Research and Quality (AHRQ) ``Online 
Application Ordering for Products from the Healthcare Cost and 
Utilization Project (HCUP).'' HCUP is an online system established in 
2013; it makes restricted databases and software available for 
qualified applicants to purchase for scientific research and public 
health use. Applicants may be researchers, patients, consumers, 
practitioners, providers, policy makers, or educators. The HCUP 
databases are annual files containing anonymous information from 
hospital discharge records for inpatient care and certain components of 
outpatient care. The HCUP software tools enhance the use of the data. 
The online system supports AHRQ's mission of promoting improvements in 
health care quality.
     Centers for Medicare & Medicaid Services (CMS) DUA 
tracking system. A new data use agreement (DUA) tracking system went 
into production in 2015 and replaced the previous system, ``Data 
Agreement & Data Shipping Tracking System (DADSS).'' The DUA system 
tracks authorization, payment status, shipping status, and ownership of 
restricted and unrestricted data extracts between CMS, its contractors, 
and other authorized entities.
     National Institutes of Health (NIH) ``Controlled Data 
Access Systems.'' NIH supports ``NIH-designated data repositories,'' 
which archive and distribute controlled-access de-identified human data 
and results from scientific studies under the NIH Genomic Data Sharing 
Policy. Controlled-access data in NIH-designated data repositories are 
made available for secondary research only after investigators have 
obtained approval from NIH to use the requested data for a particular 
project. The National Center for Biotechnology Information database of 
Genotypes and Phenotypes (dbGaP) serves as a central portal to submit, 
locate, and request access to controlled-access human genomic (e.g., 
GWAS, sequencing, expression, epigenomic) data. The dbGaP's capacity 
and functionality are extended by repositories managed by public or 
private organizations through structured partnerships (``trusted 
partnerships'') established by NIH through a contract mechanism. 
Information about investigators, Institutional Signing Officials, and 
other users of NIH-designated controlled access repositories may be 
located and viewed by approved staff using the dbGaP or trusted 
partner-managed systems. Sharing research data supports the mission of 
the NIH and is essential to facilitate the translation of research 
results into knowledge, products, and procedures that improve human 
health.
     Substance Abuse and Mental Health Services Administration 
(SAMHSA) ``Online Application for the Data Portal (SAMHDA).'' This 
online data portal was established in 2013 to more efficiently make 
restricted datasets from SAMHSA available to designated, approved 
researchers. The Data Portal and all applications are maintained 
through the Substance Abuse and Mental Health Data Archive (SAMHDA). 
Currently, data from the Drug Abuse Warning Network (DAWN), DAWN 
Medical Examiner/Coroner component, National Survey on Drug Use and 
Health (NSDUH), and NSDUH Adult Clinical Interview data are available 
through the portal. Data recipients must complete a web-based 
application process and receive project approval from SAMHSA's Center 
for Behavioral Health and Statistics and Quality (CBHSQ), and can use 
the datasets for statistical purposes only. No fees are charged for the 
datasets. The online portal supports SAMHSA' s mission to make 
substance use and mental disorder information and research more 
accessible.
    Note that this system of records does not include:
     Records about requesters who seek unrestricted datasets, 
publications, or other information products from an HHS on-line or 
paper-based ordering and delivery system. Unrestricted materials are 
also proactively made available to the public by HHS, but are released 
without restrictions (though some may be subject to terms or conditions 
of use and require registration for an account and payment of a fee). 
Because the requests or order forms collect minimal information about 
the requester (i.e., the requester's name, mailing address or email 
address, telephone number, or other contact or delivery information, 
and payment information if a fee is imposed) they would be adequately 
covered by other SORNs (for example, ``Correspondence Tracking 
Management System (CTMS)'' SORN #09-70-3005; ``Consumer Mailing List'' 
SORN #09-90-0041; and ``HHS Financial Management System Records'' SORN 
#09-90-0024 if a fee is involved), if a SORN is required (i.e., if the 
records are retrieved directly by an individual requester's name or 
other personal identifier). Examples include records about requesters 
who order materials online from AHRQ's Publications Online Store & 
Clearinghouse or by mail from AHRQ's Publications Clearinghouse, which 
provide only unrestricted publications and other information products; 
and records about requesters ordering unrestricted datasets from CMS's 
DUA tracking system, which processes orders for both restricted and 
unrestricted datasets.
     Records about data requesters that are not retrieved 
directly by an individual requester's name or other personal 
identifier. These records are not subject to the Privacy Act and are 
not required to be covered in a SORN, even when they are associated 
with a restricted dataset and include additional information about the 
requester (such as, the requester's intended research purpose, 
qualifications, signed Data Use Agreement, and confidentiality training 
certificate). An example would be requester records that are retrieved 
first by a dataset identifier and/or a requesting entity's name, and 
then by an individual researcher's or record custodian's name.
    A report on the altered system of records has been sent to OMB and 
Congress in accordance with 5 U.S.C. 552a(r).

    Dated: March 8, 2018.
Alfred C. Johnson,
Deputy Director for Management, National Institutes of Health.
SYSTEM NAME AND NUMBER:
    Records About Restricted Dataset Requesters, 09-90-1401

SECURITY CLASSIFICATION:
    Unclassified

SYSTEM LOCATION:
    The address of each agency component responsible for the system of 
records is:
     AHRQ: HCUP Project Officer, Center for Delivery, 
Organization, and Markets, 540 Gaither Road, Rockville, MD 20850.
     CMS: DUA tracking system, Division of Data and Information 
Dissemination, Data Development and Services Group, Office of 
Enterprise Data and Analytics, Centers for Medicare & Medicaid 
Services, 7500 Security Boulevard, Mailstop: B2-29-04, Office Location: 
B2-03-37, Baltimore, MD 21244-1870.
     NIH: Office of the Director, Office of Science Policy, 
Division of Scientific

[[Page 11215]]

Data Sharing Policy, 6705 Rockledge Drive, Suite 750, Bethesda, MD 
20817.
     SAMHSA: SAMHDA Project Officer, CBHSQ, 5600 Fisher's Lane, 
Rockville, MD 20857.

SYSTEM MANAGER(S):
     AHRQ: HCUP Project Officer, Center for Delivery, 
Organization, and Markets, 540 Gaither Road, Rockville, MD 20850; 
Telephone: 301-427-1410; HCUP@AHRQ.GOV.
     CMS: DUA tracking system, Division of Data and Information 
Dissemination, Data Development and Services Group, Office of 
Enterprise Data and Analytics, Centers for Medicare & Medicaid 
Services, 7500 Security Boulevard, Mailstop: B2-29-04, Office Location: 
B2-03-37, Baltimore, MD 21244-1870.
     NIH: Office of the Director, Office of Science Policy, 
Division of Scientific Data Sharing Policy, 6705 Rockledge Drive, Suite 
750, Bethesda, MD 20817.
     SAMHSA: SAMHDA Project Officer, CBHSQ, 5600 Fisher's Lane, 
Rockville, MD 20857. (``SAMHDA'' refers to Substance Abuse and Mental 
Health Data Archive.)

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The following legal authorities authorize the collection and 
maintenance of these records:
     AHRQ: 42 U.S.C. 299-299a; 42 U.S.C. 299c-2.
     CMS: 5 U.S.C. 552a(e)(10); 45 CFR 164.514(e); 44 U.S.C. 
3544; 42 U.S.C. 1306.
     NIH: 42 U.S.C. 217a, 241, 281, 282, 284; 48 CFR Subpart 
15.3; E.O. 13478.
     SAMHDA: 42 U.S.C. 290aa(d)(l); 44 U.S.C. 3501(8)
    See also: CIPSEA, codified at 44 U.S.C. 3501 note.

PURPOSE(S) OF THE SYSTEM:
    The purposes of this system of records are to provide restricted 
datasets and software products to qualified data requesters in a timely 
and efficient manner and consistent with applicable laws, and to enable 
HHS to enforce data requesters' compliance with use and security 
restrictions that apply to the data. Relevant HHS personnel use the 
records on a need-to-know basis for those purposes; specifically:
     Contact and user registration information is used to 
communicate with the requester, enable the requester to access 
requested data electronically (for example, the requester's email 
address would be used to register the requester to use a public access 
web portal or link, and to notify the requester when data has been 
delivered electronically to his registered account), locate the 
requester (e.g., for on-site inspections or to otherwise check 
compliance with the data use agreement), and deliver and track data 
provided by mail (e.g., to document receipt for enforcement purposes 
and report lost shipments to security personnel).
     Qualifications, planned use of the data, confidentiality 
training information, signed data use agreement, data receipt 
information, on-site inspection information, and information about data 
breaches or contract violations is used to grant the request 
(consistent with data use restrictions) or deny the request, bind the 
requester to the applicable data use restrictions and other security 
requirements, conduct on-site inspections or otherwise check the 
requester's compliance with the data use agreement, enforce the 
agreement if breached, and share information about data breaches and 
contract violations with other HHS components administering restricted 
dataset requests involving the same requesters.
     Payment information is used to collect any applicable fee. 
Any payment information shared with HHS accounting and debt collection 
systems is also covered under the accounting and debt collection 
systems' SORNs and is subject to the routine uses published in those 
SORNs (see, e.g., HHS Financial Management System Records, SORN #09-90-
0024; and Debt Management and Collection System, SORN #09-40-0012).
     Any of the above records could be used to evaluate 
accomplishment of HHS functions related to the purposes of this system 
of records and to evaluate performance of contractors utilized by HHS 
to accomplish those functions.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individuals within and outside HHS who request restricted datasets 
and software products that HHS makes proactively available to qualified 
members of the public, usually for health-related scientific research 
and study purposes. Examples include individual researchers and records 
custodians, project officers, or other representatives of entities such 
as universities, government agencies, and research organizations.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Categories of records include:
     Request records, containing the requester's name and 
contact information (telephone number, mailing address, email address), 
affiliated entity (e.g., if making the request as a records custodian 
or other employee), and a description of the dataset requested.
     Order fulfillment records, containing user registration 
information such as email address and IP address (if the requester is 
provided access to the dataset electronically through a public access 
web portal or link) or mailing information (if the dataset is mailed to 
the requester on a disk or other media), and tracking information 
(providing proof of delivery).
     Data use restriction records, containing the requester's 
identification, contact, and affiliated entity information, 
qualifications, intended use of the data (e.g., study name, contract 
number), confidentiality training documentation (e.g., a coded number 
indicating the individual completed required confidentiality training), 
signed and notarized data use agreement documents (e.g., Affidavit of 
Nondisclosure; Declaration of Nondisclosure; Confidential Data Use and 
Nondisclosure Agreement (CDUNA); Individual Designations of Agent; DUA 
number and expiration date), tracking information, and any on-site 
inspection information.
     Payment records (if a fee is charged), consisting of the 
requester's credit card account name, number, and billing address, or 
bank routing number and checking account name, address, and number.

RECORD SOURCE CATEGORIES:
    Information in this system of records is obtained directly from the 
individual data requester to whom it applies, or is derived from 
information supplied by the individual or provided by HHS officials.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    Information about an individual data requester may be disclosed to 
parties outside HHS, without the individual's prior, written consent, 
as provided in these routine uses:
    1. Disclosures may be made to federal agencies and Department 
contractors that have been engaged by HHS to assist in accomplishment 
of an HHS function relating to the purposes of this system of records 
(including ancillary functions, such as compiling reports and 
evaluating program effectiveness and contractor performance) and that 
have a need to have access to the records in order to assist HHS in 
performing the activity. Any contractor will be required to comply with 
the requirements of the Privacy Act.
    2. Records may be disclosed to student volunteers, individuals 
working

[[Page 11216]]

under a personal services contract, and other individuals performing 
functions (including ancillary functions) relating to the purposes of 
this system of records for the Department but technically not having 
the status of agency employees, if they need access to the records in 
order to perform their assigned agency functions. For example, 
disclosure may be made to qualified experts not within the definition 
of HHS employees as prescribed in HHS regulations, for opinions as a 
part of the controlled data access process.
    3. CMS records may be disclosed to a CMS contractor (including but 
not limited to Medicare Administrative Contractors, fiscal 
intermediaries, and carriers) that assists in the administration of a 
CMS-administered health benefits program, or to a grantee of a CMS-
administered grant program, when disclosure is deemed reasonably 
necessary by CMS to prevent, deter, discover, detect, investigate, 
examine, prosecute, sue with respect to, defend against, correct, 
remedy, or otherwise combat fraud, waste, or abuse in such program.
    4. Records may be disclosed to another federal agency or an 
instrumentality of any governmental jurisdiction within or under the 
control of the United States (including any state or local governmental 
agency) that administers federally funded programs, or that has the 
authority to investigate, potential fraud, waste or abuse in federally 
funded programs, when disclosure is deemed reasonably necessary by HHS 
to prevent, deter, discover, detect, investigate, examine, prosecute, 
sue with respect to, defend against, correct, remedy or otherwise 
combat fraud, waste or abuse in such programs.
    5. When a record on its face, or in conjunction with other records, 
indicates a violation or potential violation of law, whether civil, 
criminal or regulatory in nature, and whether arising by general 
statute or particular program statute, or by regulation, rule, or order 
issued pursuant thereto, disclosure may be made to the appropriate 
public authority, whether federal, foreign, state, local, tribal, or 
otherwise, responsible for enforcing, investigating or prosecuting the 
violation or charged with enforcing or implementing the statute, rule, 
regulation, or order issued pursuant thereto, if the information 
disclosed is relevant to the enforcement, regulatory, investigative, or 
prosecutorial responsibility of the receiving entity.
    6. Information may be disclosed to the U.S. Department of Justice 
(DOJ) or to a court or other tribunal, when:
    a. the agency or any component thereof, or
    b. any employee of the agency in his or her official capacity, or
    c. any employee of the agency in his or her individual capacity 
where DOJ has agreed to represent the employee, or
    d. the United States Government,

    is a party to litigation or has an interest in such litigation and, 
by careful review, HHS determines that the records are both relevant 
and necessary to the litigation and that, therefore, the use of such 
records by the DOJ, court or other tribunal is deemed by HHS to be 
compatible with the purpose for which the agency collected the records.
    7. Records may be disclosed to a federal, foreign, state, local, 
tribal, or other public authority of the fact that this system of 
records contains information relevant to the hiring or retention of an 
employee, the retention of a security clearance, the letting of a 
contract, or the issuance or retention of a license, grant or other 
benefit. The other agency or licensing organization may then make a 
request supported by the written consent of the individual for further 
information if it so chooses. HHS will not make an initial disclosure 
unless the information has been determined to be sufficiently reliable 
to support a referral to another office within the agency or to another 
federal agency for criminal, civil, administrative, personnel, or 
regulatory action.
    8. Information may be disclosed to a Member of Congress or 
Congressional staff member in response to a written inquiry of the 
Congressional office made at the written request of the constituent 
about whom the record is maintained. The Congressional office does not 
have any greater authority to obtain records than the individual would 
have if requesting the records directly.
    9. Records may be disclosed to the U.S. Department of Homeland 
Security (DHS) if captured in an intrusion detection system used by HHS 
and DHS pursuant to a DHS cybersecurity program that monitors internet 
traffic to and from federal government computer networks to prevent a 
variety of types of cybersecurity incidents.
    10. Disclosures may be made to appropriate agencies, entities, and 
persons when (1) HHS suspects or has confirmed that there has been a 
breach of the system of records; (2) HHS has determined that as a 
result of the suspected or confirmed breach there is a risk of harm to 
individuals, HHS (including its information systems, programs, and 
operations), the Federal Government, or national security; and (3) the 
disclosure made to such agencies, entities, and persons is reasonably 
necessary to assist in connection with HHS efforts to respond to the 
suspected or confirmed breach or to prevent, minimize, or remedy such 
harm.
    11. Disclosure may be made to another Federal agency or Federal 
entity, when HHS determines that information from this system of 
records is reasonably necessary to assist the recipient agency or 
entity in (1) responding to a suspected or confirmed breach or (2) 
preventing, minimizing, or remedying the risk of harm to individuals, 
the recipient agency or entity (including its information systems, 
programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    12. Disclosure of past performance information pertaining to 
contractors engaged by HHS to assist in accomplishment of an HHS 
function relating to the purposes of this system of records may be made 
to a federal agency upon request and may include information about 
dataset requesters.
    13. NIH dataset requester records may be included in records 
disclosed to governmental or authorized non-governmental entities with 
a signed data access agreement for system data that includes records 
about individuals requesting and receiving restricted datasets, to use 
in compiling reports (such as, on the composition of biomedical and/or 
research workforce; authors of publications attributable to federally-
funded research; information made available through third-party systems 
as permitted by applicants or awardees for agency grants or contracts; 
or grant payment information reported to federal databases).
    14. When records about a requester of an NIH restricted dataset are 
related to an award or application for award under an NIH award 
program, the dataset requester records may be disclosed to the award 
applicant, principal investigator(s), institutional officials, trainees 
or others named in the application, or institutional service providers 
for purposes of application preparation, review, or award management, 
and to the public consistent with reporting and transparency standards 
and to the extent disclosure to the public would not cause an 
unwarranted invasion of personal privacy.
    15. HHS may disclose records from this system of records to the 
National Archives and Records Administration (NARA), General Services 
Administration (GSA), or other relevant

[[Page 11217]]

Federal Government agencies in connection with records management 
inspections conducted under the authority of 44 U.S.C. 2904 and 2906.
    Information about a dataset requester may also be disclosed from 
this system of records to parties outside HHS without the individual's 
consent for any of the uses authorized directly in the Privacy Act at 5 
U.S.C. 552a(b)(2) and (b)(4)-(11).

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are stored in electronic databases and hard-copy files. 
CMS's DUA tracking system records may also be stored on portable media.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are retrieved by the data requester's name, registrant/user 
name, User ID Number, email address, or data use agreement (DUA) 
number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records needed to enforce data use restrictions are retained for 20 
years by AHRQ (see DAA-0510-2013-0003-0001), 5 years by CMS (see Nl-
440-10-04), and 3 years by NIH (see DAA-0443-2013-0004-0004) after the 
agreement is closed, and may be kept longer if necessary for 
enforcement, audit, legal, or other purposes. The equivalent SAMHSA 
records will be retained indefinitely until a disposition schedule is 
approved by the National Archives and Records Administration (NARA). 
SAMHSA anticipates proposing a 5 year retention period to NARA. Records 
of payments made electronically are transmitted securely to a Payment 
Card Industry-compliant payment gateway for processing and are not 
stored. Records of payments made by check, purchase order, or wire 
transfer are disposed of once the funds have been received. Records are 
disposed of using destruction methods prescribed by NIST SP 800-88.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Records are safeguarded in accordance with applicable laws, rules 
and policies, including the HHS Information Technology Security Program 
Handbook, all pertinent National Institutes of Standards and Technology 
(NIST) publications, and OMB Circular A-130, Managing Information as a 
Strategic Resource. Records are protected from unauthorized access 
through appropriate administrative, physical, and technical safeguards. 
Safeguards conform to the HHS Information Security and Privacy Program, 
http://www.hhs.gov/ocio/securityprivacy/.
    The safeguards include protecting the facilities where records are 
stored or accessed with security guards, badges and cameras, securing 
hard-copy records in locked file cabinets, file rooms or offices during 
off-duty hours, limiting access to electronic databases to authorized 
users based on roles and the principle of least privilege, and two-
factor authentication (user ID and password), using a secured operating 
system protected by encryption, firewalls, and intrusion detection 
systems, using an SSL connection for secure encrypted transmissions, 
requiring encryption for records stored on removable media, and 
training personnel in Privacy Act and information security 
requirements.

RECORD ACCESS PROCEDURES:
    An individual who wishes to know if this system of records contains 
records about him or her should submit a written request to the 
relevant System Manager at the address indicated above. The individual 
must verify his or her identity by providing either a notarized request 
or a written certification that the requester is who he or she claims 
to be and understands that the knowing and willful request for 
acquisition of a record pertaining to an individual under false 
pretenses is a criminal offense under the Privacy Act, subject to a 
five thousand dollar fine.

CONTESTING RECORD PROCEDURES:
    An individual seeking to amend the content of information about him 
or her in this system should contact the relevant System Manager and 
reasonably identify the record, specify the information contested, 
state the corrective action sought, and provide the reasons for the 
amendment, with supporting justification.

NOTIFICATION PROCEDURES:
    An individual who wishes to know if this system of records contains 
records about him or her should submit a written request to the 
relevant System Manager at the address indicated above. The individual 
must verify his or her identity by providing either a notarized request 
or a written certification that the requester is who he or she claims 
to be and understands that the knowing and willful request for 
acquisition of a record pertaining to an individual under false 
pretenses is a criminal offense under the Privacy Act, subject to a 
five thousand dollar fine.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    80 FR 17447 (April 1, 2015).

[FR Doc. 2018-05176 Filed 3-13-18; 8:45 am]
 BILLING CODE 4140-01-P
Federal Register / Vol. 83, No. 50 / Wednesday, March 14, 2018 / Notices 11213

doctoral-level health psychologists to fourth Operating Division, the National apply to all records, not just NIH
effectively address substance use Institutes of Health (NIH), and to records, stating that records may be
disorder (SUD) including opioid use? include three revised and five new used to evaluate accomplishment of
4. If your institution has received in routine uses, some of which will apply HHS functions related to the purposes
the past, is currently receiving, or to all records in the system and some of of this system of records and to evaluate
applied for but did not receive GPE which will apply to only NIH’s records. performance of contractors utilized by
funding, what features or requirements The alterations affect the System HHS to accomplish those functions.
of the GPE Program were easy to Locations, Legal Authorities, Purposes, Minor wording and formatting changes
incorporate and/or beneficial in the Retention, System Manager, and have been made throughout the SORN
development and implementation of Routine Uses sections of the System of to conform to the SORN template
your program, and which ones posed Records Notice (SORN). prescribed in OMB Circular A–108. The
challenges? Please provide specific DATES: In accordance with 5 U.S.C. new and revised routine uses are as
examples. If your institution did not 552a(e)(4) and (11), this notice is follows:
apply for GPE funding, what features or applicable March 14, 2018, subject to a • Routine use 1 has been revised to
requirements of the GPE Program posed 30-day period in which to comment on add ‘‘including ancillary functions, such
challenges to the development of your the new and revised routine uses, as compiling reports and evaluating
program or dissuaded your institution described below. Please submit any program effectiveness and contractor
from applying to the program? comments by April 13, 2018. performance.’’
5. What health workforce training ADDRESSES: The public should submit
• Routine use 2 has been revised to
strategies within the experiential written comments, by mail or email, to add ‘‘including ancillary functions’’ and
training sites could the GPE Program Beth Kramer, HHS Privacy Act Officer, to add a last sentence stating: ‘‘For
address to increase access to integrated 200 Independence Avenue SW, Suite example, disclosure may be made to
behavioral health/primary care services 729H, Washington, DC 20201, or qualified experts not within the
in underserved and/or rural beth.kramer@hhs.gov. Comments definition of HHS employees as
populations? Please provide a received will be available for review at prescribed in HHS regulations, for
description of practice. this location without redaction, unless opinions as a part of the controlled data
6. Type and site including geographic otherwise advised by the commenter. To access process.’’
locations (e.g., large health system, • Routine use 10 has been revised to
review comments in person, please
private practices, group practices, use wording prescribed in OMB
contact Beth Kramer at beth.kramer@
Federally Qualified Health Center, etc.). Memorandum M–17–12 issued January
hhs.gov or (202) 690–6941. 3, 2017.
Dated: March 8, 2018. FOR FURTHER INFORMATION CONTACT: • Routine uses 11 through 15 are
George Sigounas, General questions about the system of new. Routine use 11 is a new routine
Administrator. records should be submitted by mail, use prescribed by OMB Memorandum
[FR Doc. 2018–05064 Filed 3–13–18; 8:45 am] email, or phone to Beth Kramer, HHS M–17–12.
BILLING CODE 4165–15–P Privacy Act Officer, at 200 ‘‘Restricted’’ datasets and software
Independence Avenue SW, Suite 729H, products are those that HHS makes
Washington, DC 20201; beth.kramer@ affirmatively available to qualified
DEPARTMENT OF HEALTH AND hhs.gov or (202) 690–6941. members of the public but provides
HUMAN SERVICES SUPPLEMENTARY INFORMATION: This subject to restrictions, because they
department-wide system of records was contain identifiable data and/or
Privacy Act of 1974; System of established April 2015 (see 80 FR anonymized data that has the potential,
Records 17447) and has not been previously when combined with other data, to
AGENCY: Office of the Secretary (OS), revised. It covers records about identify the particular individuals, such
Department of Health and Human individuals within and outside HHS as patients or providers, whose
Services (HHS). who request restricted datasets and information is represented in the data.
ACTION: Notice of a modified system of software products from HHS, when HHS The datasets and products are made
records. maintains the requester records in a available through an on-line or paper-
system from which they are retrieved based ordering and delivery system that
SUMMARY: In accordance with the directly by an individual requester’s provides them to qualified requesters
requirements of the Privacy Act of 1974, name or other personal identifier. It electronically or by mail.
as amended, HHS is altering an existing currently includes records maintained The restrictions are necessary to
department-wide system of records, by three HHS Operating Divisions. It is protect the privacy of individuals whose
‘‘Records About Restricted Dataset being revised to add records maintained information is represented in the
Requesters,’’ System Number 09–90– by a fourth Operating Division, the datasets or software products. The
1401. This system of records covers National Institutes of Health (NIH), restrictions typically limit the data
records about individuals within and which NIH plans to begin retrieving requester to using the data for research,
outside HHS who request restricted directly by personal identifier, and to analysis, study, and aggregate statistical
datasets and software products from include three revised and five new reporting; prohibit any attempt to
HHS (e.g., for health-related scientific routine uses, some of which will apply identify any individual or establishment
research and study purposes), when to all records in the system and some of represented in the data; and require
HHS maintains the requester records in which will apply to only NIH’s records. specific security measures to safeguard
daltland on DSKBBV9HB2PROD with NOTICES

a system from which they are retrieved The alterations made to add NIH’s the data from unauthorized access. HHS
directly by an individual requester’s records affect the System Location, is required by law to impose, monitor,
name or other personal identifier. The Legal Authorities, Purposes, Retention, and enforce the restrictions (see, for
system of records currently covers System Manager, and Routine Uses example, provisions in the Confidential
records maintained by three HHS sections of the System of Records Notice Information Protection and Statistical
Operating Divisions. It is being altered (SORN). One new purpose was added to Efficiency Act of 2002 (CIPSEA), 44
to include records maintained by a the ‘‘Purposes’’ section, which will U.S.C. 3501 at note). To impose and

VerDate Sep<11>2014 18:17 Mar 13, 2018 Jkt 244001 PO 00000 Frm 00046 Fmt 4703 Sfmt 4703 E:\FR\FM\14MRN1.SGM 14MRN1
11214 Federal Register / Vol. 83, No. 50 / Wednesday, March 14, 2018 / Notices

enforce the restrictions, it is necessary through a contract mechanism. the records are retrieved directly by an
to collect information about the data Information about investigators, individual requester’s name or other
requesters. Institutional Signing Officials, and other personal identifier). Examples include
The altered system of records will users of NIH-designated controlled records about requesters who order
cover requester records retrieved by access repositories may be located and materials online from AHRQ’s
requesters’ personal identifiers in the viewed by approved staff using the Publications Online Store &
following four systems or any successor dbGaP or trusted partner-managed Clearinghouse or by mail from AHRQ’s
systems, but only to the extent that the systems. Sharing research data supports Publications Clearinghouse, which
records pertain to requesters seeking the mission of the NIH and is essential provide only unrestricted publications
restricted datasets: to facilitate the translation of research and other information products; and
• Agency for Healthcare Research results into knowledge, products, and records about requesters ordering
and Quality (AHRQ) ‘‘Online procedures that improve human health. unrestricted datasets from CMS’s DUA
Application Ordering for Products from • Substance Abuse and Mental tracking system, which processes orders
the Healthcare Cost and Utilization Health Services Administration for both restricted and unrestricted
Project (HCUP).’’ HCUP is an online (SAMHSA) ‘‘Online Application for the datasets.
system established in 2013; it makes Data Portal (SAMHDA).’’ This online • Records about data requesters that
restricted databases and software data portal was established in 2013 to are not retrieved directly by an
available for qualified applicants to more efficiently make restricted datasets individual requester’s name or other
purchase for scientific research and from SAMHSA available to designated, personal identifier. These records are
public health use. Applicants may be approved researchers. The Data Portal not subject to the Privacy Act and are
researchers, patients, consumers, and all applications are maintained not required to be covered in a SORN,
practitioners, providers, policy makers, through the Substance Abuse and even when they are associated with a
or educators. The HCUP databases are Mental Health Data Archive (SAMHDA). restricted dataset and include additional
annual files containing anonymous Currently, data from the Drug Abuse information about the requester (such
information from hospital discharge Warning Network (DAWN), DAWN as, the requester’s intended research
records for inpatient care and certain Medical Examiner/Coroner component, purpose, qualifications, signed Data Use
components of outpatient care. The National Survey on Drug Use and Agreement, and confidentiality training
HCUP software tools enhance the use of Health (NSDUH), and NSDUH Adult certificate). An example would be
the data. The online system supports Clinical Interview data are available requester records that are retrieved first
AHRQ’s mission of promoting through the portal. Data recipients must by a dataset identifier and/or a
improvements in health care quality. complete a web-based application requesting entity’s name, and then by an
• Centers for Medicare & Medicaid process and receive project approval individual researcher’s or record
Services (CMS) DUA tracking system. A from SAMHSA’s Center for Behavioral
new data use agreement (DUA) tracking custodian’s name.
Health and Statistics and Quality A report on the altered system of
system went into production in 2015 (CBHSQ), and can use the datasets for
and replaced the previous system, ‘‘Data records has been sent to OMB and
statistical purposes only. No fees are
Agreement & Data Shipping Tracking Congress in accordance with 5 U.S.C.
charged for the datasets. The online
System (DADSS).’’ The DUA system 552a(r).
portal supports SAMHSA’ s mission to
tracks authorization, payment status, make substance use and mental disorder Dated: March 8, 2018.
shipping status, and ownership of information and research more Alfred C. Johnson,
restricted and unrestricted data extracts accessible. Deputy Director for Management, National
between CMS, its contractors, and other Note that this system of records does Institutes of Health.
authorized entities. not include:
• National Institutes of Health (NIH) • Records about requesters who seek SYSTEM NAME AND NUMBER:
‘‘Controlled Data Access Systems.’’ NIH unrestricted datasets, publications, or Records About Restricted Dataset
supports ‘‘NIH-designated data other information products from an Requesters, 09–90–1401
repositories,’’ which archive and HHS on-line or paper-based ordering
distribute controlled-access de- and delivery system. Unrestricted SECURITY CLASSIFICATION:
identified human data and results from materials are also proactively made Unclassified
scientific studies under the NIH available to the public by HHS, but are
Genomic Data Sharing Policy. SYSTEM LOCATION:
released without restrictions (though
Controlled-access data in NIH- some may be subject to terms or The address of each agency
designated data repositories are made conditions of use and require component responsible for the system of
available for secondary research only registration for an account and payment records is:
after investigators have obtained of a fee). Because the requests or order • AHRQ: HCUP Project Officer,
approval from NIH to use the requested forms collect minimal information about Center for Delivery, Organization, and
data for a particular project. The the requester (i.e., the requester’s name, Markets, 540 Gaither Road, Rockville,
National Center for Biotechnology mailing address or email address, MD 20850.
Information database of Genotypes and telephone number, or other contact or • CMS: DUA tracking system,
Phenotypes (dbGaP) serves as a central delivery information, and payment Division of Data and Information
portal to submit, locate, and request information if a fee is imposed) they Dissemination, Data Development and
access to controlled-access human would be adequately covered by other Services Group, Office of Enterprise
daltland on DSKBBV9HB2PROD with NOTICES

genomic (e.g., GWAS, sequencing, SORNs (for example, ‘‘Correspondence Data and Analytics, Centers for
expression, epigenomic) data. The Tracking Management System (CTMS)’’ Medicare & Medicaid Services, 7500
dbGaP’s capacity and functionality are SORN #09–70–3005; ‘‘Consumer Security Boulevard, Mailstop: B2–29–
extended by repositories managed by Mailing List’’ SORN #09–90–0041; and 04, Office Location: B2–03–37,
public or private organizations through ‘‘HHS Financial Management System Baltimore, MD 21244–1870.
structured partnerships (‘‘trusted Records’’ SORN #09–90–0024 if a fee is • NIH: Office of the Director, Office of
partnerships’’) established by NIH involved), if a SORN is required (i.e., if Science Policy, Division of Scientific

VerDate Sep<11>2014 18:17 Mar 13, 2018 Jkt 244001 PO 00000 Frm 00047 Fmt 4703 Sfmt 4703 E:\FR\FM\14MRN1.SGM 14MRN1
11216 Federal Register / Vol. 83, No. 50 / Wednesday, March 14, 2018 / Notices

under a personal services contract, and a. the agency or any component (3) the disclosure made to such
other individuals performing functions thereof, or agencies, entities, and persons is
(including ancillary functions) relating b. any employee of the agency in his reasonably necessary to assist in
to the purposes of this system of records or her official capacity, or connection with HHS efforts to respond
for the Department but technically not c. any employee of the agency in his to the suspected or confirmed breach or
having the status of agency employees, or her individual capacity where DOJ to prevent, minimize, or remedy such
if they need access to the records in has agreed to represent the employee, or harm.
order to perform their assigned agency d. the United States Government, 11. Disclosure may be made to
functions. For example, disclosure may is a party to litigation or has an another Federal agency or Federal
be made to qualified experts not within interest in such litigation and, by careful entity, when HHS determines that
the definition of HHS employees as review, HHS determines that the records information from this system of records
prescribed in HHS regulations, for are both relevant and necessary to the is reasonably necessary to assist the
opinions as a part of the controlled data litigation and that, therefore, the use of recipient agency or entity in (1)
access process. such records by the DOJ, court or other responding to a suspected or confirmed
3. CMS records may be disclosed to a tribunal is deemed by HHS to be breach or (2) preventing, minimizing, or
CMS contractor (including but not compatible with the purpose for which remedying the risk of harm to
limited to Medicare Administrative the agency collected the records. individuals, the recipient agency or
Contractors, fiscal intermediaries, and 7. Records may be disclosed to a entity (including its information
carriers) that assists in the systems, programs, and operations), the
federal, foreign, state, local, tribal, or
administration of a CMS-administered Federal Government, or national
other public authority of the fact that
health benefits program, or to a grantee security, resulting from a suspected or
this system of records contains
of a CMS-administered grant program, confirmed breach.
information relevant to the hiring or 12. Disclosure of past performance
when disclosure is deemed reasonably
retention of an employee, the retention information pertaining to contractors
necessary by CMS to prevent, deter,
of a security clearance, the letting of a engaged by HHS to assist in
discover, detect, investigate, examine,
contract, or the issuance or retention of accomplishment of an HHS function
prosecute, sue with respect to, defend
a license, grant or other benefit. The relating to the purposes of this system
against, correct, remedy, or otherwise
other agency or licensing organization of records may be made to a federal
combat fraud, waste, or abuse in such
may then make a request supported by agency upon request and may include
program.
4. Records may be disclosed to the written consent of the individual for information about dataset requesters.
another federal agency or an further information if it so chooses. HHS 13. NIH dataset requester records may
instrumentality of any governmental will not make an initial disclosure be included in records disclosed to
jurisdiction within or under the control unless the information has been governmental or authorized non-
of the United States (including any state determined to be sufficiently reliable to governmental entities with a signed data
or local governmental agency) that support a referral to another office access agreement for system data that
administers federally funded programs, within the agency or to another federal includes records about individuals
or that has the authority to investigate, agency for criminal, civil, requesting and receiving restricted
potential fraud, waste or abuse in administrative, personnel, or regulatory datasets, to use in compiling reports
federally funded programs, when action. (such as, on the composition of
disclosure is deemed reasonably 8. Information may be disclosed to a biomedical and/or research workforce;
necessary by HHS to prevent, deter, Member of Congress or Congressional authors of publications attributable to
discover, detect, investigate, examine, staff member in response to a written federally-funded research; information
prosecute, sue with respect to, defend inquiry of the Congressional office made made available through third-party
against, correct, remedy or otherwise at the written request of the constituent systems as permitted by applicants or
combat fraud, waste or abuse in such about whom the record is maintained. awardees for agency grants or contracts;
programs. The Congressional office does not have or grant payment information reported
5. When a record on its face, or in any greater authority to obtain records to federal databases).
conjunction with other records, than the individual would have if 14. When records about a requester of
indicates a violation or potential requesting the records directly. an NIH restricted dataset are related to
violation of law, whether civil, criminal 9. Records may be disclosed to the an award or application for award under
or regulatory in nature, and whether U.S. Department of Homeland Security an NIH award program, the dataset
arising by general statute or particular (DHS) if captured in an intrusion requester records may be disclosed to
program statute, or by regulation, rule, detection system used by HHS and DHS the award applicant, principal
or order issued pursuant thereto, pursuant to a DHS cybersecurity investigator(s), institutional officials,
disclosure may be made to the program that monitors internet traffic to trainees or others named in the
appropriate public authority, whether and from federal government computer application, or institutional service
federal, foreign, state, local, tribal, or networks to prevent a variety of types of providers for purposes of application
otherwise, responsible for enforcing, cybersecurity incidents. preparation, review, or award
investigating or prosecuting the 10. Disclosures may be made to management, and to the public
violation or charged with enforcing or appropriate agencies, entities, and consistent with reporting and
implementing the statute, rule, persons when (1) HHS suspects or has transparency standards and to the extent
regulation, or order issued pursuant confirmed that there has been a breach disclosure to the public would not cause
daltland on DSKBBV9HB2PROD with NOTICES

thereto, if the information disclosed is of the system of records; (2) HHS has an unwarranted invasion of personal
relevant to the enforcement, regulatory, determined that as a result of the privacy.
investigative, or prosecutorial suspected or confirmed breach there is 15. HHS may disclose records from
responsibility of the receiving entity. a risk of harm to individuals, HHS this system of records to the National
6. Information may be disclosed to the (including its information systems, Archives and Records Administration
U.S. Department of Justice (DOJ) or to a programs, and operations), the Federal (NARA), General Services
court or other tribunal, when: Government, or national security; and Administration (GSA), or other relevant

VerDate Sep<11>2014 18:17 Mar 13, 2018 Jkt 244001 PO 00000 Frm 00049 Fmt 4703 Sfmt 4703 E:\FR\FM\14MRN1.SGM 14MRN1
Federal Register / Vol. 83, No. 50 / Wednesday, March 14, 2018 / Notices 11217

Federal Government agencies in Security and Privacy Program, http:// HISTORY:
connection with records management www.hhs.gov/ocio/securityprivacy/. 80 FR 17447 (April 1, 2015).
inspections conducted under the The safeguards include protecting the [FR Doc. 2018–05176 Filed 3–13–18; 8:45 am]
authority of 44 U.S.C. 2904 and 2906. facilities where records are stored or
BILLING CODE 4140–01–P
Information about a dataset requester accessed with security guards, badges
may also be disclosed from this system and cameras, securing hard-copy
of records to parties outside HHS records in locked file cabinets, file DEPARTMENT OF HEALTH AND
without the individual’s consent for any rooms or offices during off-duty hours, HUMAN SERVICES
of the uses authorized directly in the limiting access to electronic databases to
Privacy Act at 5 U.S.C. 552a(b)(2) and authorized users based on roles and the Privacy Act of 1974; System of
(b)(4)–(11). principle of least privilege, and two- Records Notice
factor authentication (user ID and
POLICIES AND PRACTICES FOR STORAGE OF AGENCY: Health Resources and Services
RECORDS:
password), using a secured operating
system protected by encryption, Administration (HRSA), Department of
Records are stored in electronic Health and Human Services (HHS).
firewalls, and intrusion detection
databases and hard-copy files. CMS’s
systems, using an SSL connection for ACTION: Notice of a new system of
DUA tracking system records may also
secure encrypted transmissions, records.
be stored on portable media.
requiring encryption for records stored
POLICIES AND PRACTICES FOR RETRIEVAL OF on removable media, and training SUMMARY: In accordance with the
RECORDS: personnel in Privacy Act and Privacy Act, HHS is establishing a new
Records are retrieved by the data information security requirements. system of records to be maintained by
requester’s name, registrant/user name, HRSA System No. 09–15–0092 ‘‘HRSA
RECORD ACCESS PROCEDURES: Trainee Information Portal (TRIP).’’ The
User ID Number, email address, or data
use agreement (DUA) number. An individual who wishes to know if new system of records will cover data
this system of records contains records about health professionals/trainees
POLICIES AND PRACTICES FOR RETENTION AND about him or her should submit a receiving health care training supported
DISPOSAL OF RECORDS: written request to the relevant System by Bureau of Health Workforce (BHW)
Records needed to enforce data use Manager at the address indicated above. Federal awards (including, grants,
restrictions are retained for 20 years by The individual must verify his or her cooperative agreements, contracts,
AHRQ (see DAA–0510–2013–0003– identity by providing either a notarized scholarships and loans) (collectively
0001), 5 years by CMS (see Nl–440–10– request or a written certification that the referred to as awards), which BHW will
04), and 3 years by NIH (see DAA– requester is who he or she claims to be use in evaluating the success of its
0443–2013–0004–0004) after the and understands that the knowing and programs. The new system of records is
agreement is closed, and may be kept willful request for acquisition of a explained in the ‘‘Supplementary
longer if necessary for enforcement, record pertaining to an individual under Information’’ section of this notice and
audit, legal, or other purposes. The false pretenses is a criminal offense fully described in the System of Records
equivalent SAMHSA records will be under the Privacy Act, subject to a five Notice (SORN) published in this notice.
retained indefinitely until a disposition thousand dollar fine. DATES: In accordance with 5 U.S.C.
schedule is approved by the National
CONTESTING RECORD PROCEDURES: 552a(e)(4) and (11), this notice is
Archives and Records Administration
An individual seeking to amend the effective upon publication, subject to a
(NARA). SAMHSA anticipates
content of information about him or her 30-day period in which to comment on
proposing a 5 year retention period to
in this system should contact the the routine uses, described below.
NARA. Records of payments made
relevant System Manager and Please submit any comments by April
electronically are transmitted securely
reasonably identify the record, specify 13, 2018.
to a Payment Card Industry-compliant
payment gateway for processing and are the information contested, state the ADDRESSES: The public should address
not stored. Records of payments made corrective action sought, and provide written comments on the new system of
by check, purchase order, or wire the reasons for the amendment, with records to Director, National Center for
transfer are disposed of once the funds supporting justification. Health Workforce Analysis (NCHWA),
have been received. Records are BHW, HRSA, 5600 Fishers Lane,
NOTIFICATION PROCEDURES: Rockville, Maryland 20857.
disposed of using destruction methods
prescribed by NIST SP 800–88. An individual who wishes to know if FOR FURTHER INFORMATION CONTACT:
this system of records contains records General questions about the system of
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL about him or her should submit a
SAFEGUARDS:
records may be submitted to Director,
written request to the relevant System National Center for Health Workforce
Records are safeguarded in Manager at the address indicated above. Analysis (NCHWA), BHW, HRSA, 5600
accordance with applicable laws, rules The individual must verify his or her Fishers Lane, Rockville, Maryland
and policies, including the HHS identity by providing either a notarized 20857.
Information Technology Security request or a written certification that the
Program Handbook, all pertinent requester is who he or she claims to be SUPPLEMENTARY INFORMATION: Pursuant
National Institutes of Standards and and understands that the knowing and to the Government Performance and
Technology (NIST) publications, and willful request for acquisition of a Results Act (GPRA) of 1993 and the
daltland on DSKBBV9HB2PROD with NOTICES

OMB Circular A–130, Managing record pertaining to an individual under GPRA Modernization Act of 2010, BHW
Information as a Strategic Resource. false pretenses is a criminal offense requires all recipients of Health
Records are protected from under the Privacy Act, subject to a five Professions awards to report annual
unauthorized access through thousand dollar fine. performance data to BHW to enable
appropriate administrative, physical, BHW to determine the success of its
and technical safeguards. Safeguards EXEMPTIONS PROMULGATED FOR THE SYSTEM: programs. The performance data must
conform to the HHS Information None. include information about health

VerDate Sep<11>2014 18:17 Mar 13, 2018 Jkt 244001 PO 00000 Frm 00050 Fmt 4703 Sfmt 4703 E:\FR\FM\14MRN1.SGM 14MRN1
Document Created: 2018-03-14 01:06:24
Document Modified: 2018-03-14 01:06:24
Category		Regulatory Information
Collection		Federal Register
sudoc Class		AE 2.7: GS 4.107: AE 2.106:
Publisher		Office of the Federal Register, National Archives and Records Administration
Section		Notices
Action		Notice of a modified system of records.
Dates		In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is applicable March 14, 2018, subject to a 30-day period in which to comment on the new and revised routine uses, described below. Please submit any comments by April 13, 2018.
Contact		General questions about the system of records should be submitted by mail, email, or phone to Beth Kramer, HHS Privacy Act Officer, at 200 Independence Avenue SW, Suite 729H, Washington, DC 20201; [email protected] or (202) 690-6941.
FR Citation		83 FR 11213