83 FR 11217 - Privacy Act of 1974; System of Records Notice
DEPARTMENT OF HEALTH AND HUMAN SERVICES Federal Register Volume 83, Issue 50 (March 14, 2018)
Federal Register Volume 83, Issue 50 (March 14, 2018)
| Page Range | 11217-11219 | |
| FR Document | 2018-05062 |
[Federal Register Volume 83, Number 50 (Wednesday, March 14, 2018)] [Notices] [Pages 11217-11219] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2018-05062] ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Privacy Act of 1974; System of Records Notice AGENCY: Health Resources and Services Administration (HRSA), Department of Health and Human Services (HHS). ACTION: Notice of a new system of records. ----------------------------------------------------------------------- SUMMARY: In accordance with the Privacy Act, HHS is establishing a new system of records to be maintained by HRSA System No. 09-15-0092 ``HRSA Trainee Information Portal (TRIP).'' The new system of records will cover data about health professionals/trainees receiving health care training supported by Bureau of Health Workforce (BHW) Federal awards (including, grants, cooperative agreements, contracts, scholarships and loans) (collectively referred to as awards), which BHW will use in evaluating the success of its programs. The new system of records is explained in the ``Supplementary Information'' section of this notice and fully described in the System of Records Notice (SORN) published in this notice. DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is effective upon publication, subject to a 30-day period in which to comment on the routine uses, described below. Please submit any comments by April 13, 2018. ADDRESSES: The public should address written comments on the new system of records to Director, National Center for Health Workforce Analysis (NCHWA), BHW, HRSA, 5600 Fishers Lane, Rockville, Maryland 20857. FOR FURTHER INFORMATION CONTACT: General questions about the system of records may be submitted to Director, National Center for Health Workforce Analysis (NCHWA), BHW, HRSA, 5600 Fishers Lane, Rockville, Maryland 20857. SUPPLEMENTARY INFORMATION: Pursuant to the Government Performance and Results Act (GPRA) of 1993 and the GPRA Modernization Act of 2010, BHW requires all recipients of Health Professions awards to report annual performance data to BHW to enable BHW to determine the success of its programs. The performance data must include information about health [[Page 11218]] professionals who directly or indirectly benefit from a BHW award. Currently, HRSA awardees submit performance data into the Electronic Handbooks (EHBs), an enterprise grants management system at HRSA. To reduce the reporting burden on awardees, BHW is developing a data collection portal that will allow awardees to collect individual- level trainee data (consisting of the trainee's name, training program, demographic information, aspects of their training, and employment information upon completion of training) directly from trainees via online surveys. For awardees that decide to communicate with trainees for this data collection, trainee email addresses may also be included. The survey responses will be collected, monitored, and managed in the portal, and awardees will be able to transmit and submit the data electronically into EHBs. Awardees will be able to send reminders or notifications to the trainees for initial surveys or any follow-up reminders. Awardees will also have the ability to directly upload bulk individual-level data rather than key in every required data field. Data elements collected in the portal about individual trainees will be the same as those already being collected in the EHBs; only the source and retrieval method are changing. Enabling awardees to collect individual level trainee data directly from trainees may result in more accurate annual reports to BHW. Retrieving information about individual trainees directly by trainee name or other personal identifier will improve BHW's ability to follow the trainees even after the completion of their training to find out if they are employed in health care and/ or work in underserved areas, as required to evaluate the effectiveness and success of BHW health professions programs. SYSTEM NAME AND NUMBER: HRSA Trainee Data Collection Portal System, 09-15-0092. SECURITY CLASSIFICATION: Unclassified. SYSTEM LOCATION: The address of the agency component responsible for the system of records is National Center for Health Workforce Analysis (NCHWA), BHW, HRSA, 5600 Fishers Lane, Rockville, Maryland 20857. SYSTEM MANAGER(S): Director, National Center for Health Workforce Analysis (NCHWA), BHW, HRSA, 5600 Fishers Lane, Rockville, Maryland 20857. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: Section 761 of the Public Health Service Act (42 U.S.C. 294n), Health Professions Workforce Information and Analysis; Section 792 of the Public Health Service Act (42 U.S.C. 295k), Health Professions Data. PURPOSE(S) OF THE SYSTEM: The purpose of this system of records is to provide the agency with training data about individual health professionals benefitted by health care training funded by BHW programs, so that BHW can follow the trainees even after the completion of their training to find out if they are employed in health care and/or work in underserved areas, in order to evaluate the effectiveness and success of BHW health professions programs. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: The records pertain to health care professionals who are reported by awardees as benefitting from health care training supported by BHW awards. CATEGORIES OF RECORDS IN THE SYSTEM: The system will collect and store demographic, training and general employment related information about the trainees at awardee and other funding recipient locations supported by BHW awards. Records about a particular trainee will be grouped by program and will contain data elements such as those listed below: Name; email address; HRSA unique ID; health professions training program; length of training program; National Provider Identifier (NPI) number (where applicable); enrollment status; sex; age; race; ethnicity; rural residential background status; disadvantaged background status; veteran status; BHW award received; academic years receiving BHW awards; % Full-Time Equivalent (FTE) paid; primary discipline; whether the individual received training in a primary care setting, medically underserved community, or rural area; number of hours of training received in a primary care setting, medically underserved community, or rural area; graduation/completion status; program attrition status; employment data city, state, and ZIP code; type of employment, training/employment status 1-year after graduation; employment status. RECORD SOURCE CATEGORIES: The sources of the trainee data reported to BHW will be Health Professions awardees and their trainees. Sources of the data BHW subsequently obtains to determine if trainees are employed in health care and/or work in underserved areas will include the trainees and their employers. NPI Number will be obtained from records maintained by HHS' Centers for Medicare & Medicaid Services. ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES: Information about an individual trainee may be disclosed from this system of records to parties outside the agency without the individual's prior, written consent pursuant to these routine uses: 1. Any trainee data that a BHW awardee reports for its awards will be disclosed to that awardee organization, to use for its own award administrative purposes. 2. Records may be disclosed to agency contractors who have been engaged by the agency to assist in accomplishment of an HHS function relating to the purposes of this system of records and who need to have access to the records in order to assist HHS. Any contractor will be required to comply with the requirements of the Privacy Act. 3. Information may be disclosed to the U.S. Department of Justice (DOJ) or to a court or other tribunal, when: a. The agency or any component thereof, or b. any employee of the agency in his or her official capacity, or c. any employee of the agency in his or her individual capacity where DOJ has agreed to represent the employee, or d. the United States Government, is a party to litigation or has an interest in such litigation and, by careful review, HHS determines that the records are both relevant and necessary to the litigation and that, therefore, the use of such records by the DOJ, court or other tribunal is deemed by HHS to be compatible with the purpose for which the agency collected the records. 4. Records may be disclosed to appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records, (2) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the federal government, or national security, and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm. [[Page 11219]] 5. Records may be disclosed to another federal agency or federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the federal government, or national security, resulting from a suspected or confirmed breach. 6. Records may be disclosed to the U.S. Department of Homeland Security (DHS) if captured in an intrusion detection system used by HHS and DHS pursuant to a DHS cybersecurity program that monitors internet traffic to and from federal government computer networks to prevent a variety of types of cybersecurity incidents. The disclosures authorized by publication of the above routine uses pursuant to 5 U.S.C. 552a(b)(3) are in addition to other disclosures authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(4)-(11). POLICIES AND PRACTICES FOR STORAGE OF RECORDS: The agency will maintain the records on database servers with disk storage and backup tapes. POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS: The agency will retrieve records about an individual trainee by the trainee's name or other personal identifier, such as unique ID or email address. POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS: BHW is developing a record retention policy and disposition schedule for Training Information Portal (TRIP) records. Until a disposition schedule has been approved by the National Archives and Records Administration (NARA), the records will be retained indefinitely. ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS: Authorized users include awardees and internal users such as government and contractor personnel who will provide support. Other than awardees, users are required to obtain favorable adjudication for a Level 5 Position of Public Trust. Government and contractor personnel who support the system must attend security training, sign a Non- Disclosure Agreement, and sign the Rules of Behavior, which is renewed annually. Users are given role-based access to the system on a limited need-to-know basis. All physical and logical access to the system is removed upon termination of employment. The system leverages the current HRSA EHBs process for authentication and authorization of all external awardee users. Records are safeguarded in accordance with applicable laws, rules and policies, including the HHS Information Technology Security Program Handbook, all pertinent National Institutes of Standards and Technology (NIST) publications, and OMB Circular A-130, Managing Information as a Strategic Resource. Records are protected from unauthorized access through appropriate administrative, physical, and technical safeguards. Safeguards conform to the HHS Information Security and Privacy Program, http://www.hhs.gov/ocio/securityprivacy/. The safeguards include protecting the facilities where records are stored or accessed with security guards, badges and cameras, securing hard-copy records in locked file cabinets, file rooms or offices during off-duty hours, limiting access to electronic databases to authorized users based on roles and the principle of least privilege, and two- factor authentication (user ID and password), using a secured operating system protected by encryption, firewalls, and intrusion detection systems, using an SSL connection for secure encrypted transmissions, requiring encryption for records stored on removable media, and training personnel in Privacy Act and information security requirements. Records that are eligible for destruction will be disposed of using secure destruction methods prescribed by NIST SP 800- 88. RECORD ACCESS PROCEDURES: An individual seeking access to records about himself or herself in this system of records must submit a written request to the System Manager (see above ``System Manager'' section). An access request must contain the name and address of the requester, email address or other identifying information, and his/her signature. To verify the requester's identity, the signature must be notarized or the request must include the requester's written certification that he/she is the person he/she claims to be and that he/she understands that the knowing and willful request for or acquisition of records pertaining to an individual under false pretenses is a criminal offense subject to a $5,000 fine. Requesters may also ask for an accounting of disclosures that have been made of their records, if any. CONTESTING RECORD PROCEDURES: An individual seeking to amend a record about him or her in this system of records must submit a written request to the System Manager (see above ``System Manager'' section). An amendment request must include verification of the requester's identity in the same manner required for an access request, and must reasonably identify the record and specify the information being contested, the corrective action sought, and the reasons for requesting the correction, along with supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant. NOTIFICATION PROCEDURES: An individual who wishes to know if this system of records contains records about himself or herself must submit a written request to the System Manager (see above ``System Manager'' section) and verify his or her identity in the same manner required for an access request. EXEMPTIONS PROMULGATED FOR THE SYSTEM: None. HISTORY: None. Dated: March 8, 2018. George Sigounas, Administrator. [FR Doc. 2018-05062 Filed 3-13-18; 8:45 am] BILLING CODE 4160-15-P
![Federal Register / Vol. 83, No. 50 / Wednesday, March 14, 2018 / Notices 11217
Federal Government agencies in Security and Privacy Program, http:// HISTORY:
connection with records management www.hhs.gov/ocio/securityprivacy/. 80 FR 17447 (April 1, 2015).
inspections conducted under the The safeguards include protecting the [FR Doc. 2018–05176 Filed 3–13–18; 8:45 am]
authority of 44 U.S.C. 2904 and 2906. facilities where records are stored or
BILLING CODE 4140–01–P
Information about a dataset requester accessed with security guards, badges
may also be disclosed from this system and cameras, securing hard-copy
of records to parties outside HHS records in locked file cabinets, file DEPARTMENT OF HEALTH AND
without the individual’s consent for any rooms or offices during off-duty hours, HUMAN SERVICES
of the uses authorized directly in the limiting access to electronic databases to
Privacy Act at 5 U.S.C. 552a(b)(2) and authorized users based on roles and the Privacy Act of 1974; System of
(b)(4)–(11). principle of least privilege, and two- Records Notice
factor authentication (user ID and
POLICIES AND PRACTICES FOR STORAGE OF AGENCY: Health Resources and Services
RECORDS:
password), using a secured operating
system protected by encryption, Administration (HRSA), Department of
Records are stored in electronic Health and Human Services (HHS).
firewalls, and intrusion detection
databases and hard-copy files. CMS’s
systems, using an SSL connection for ACTION: Notice of a new system of
DUA tracking system records may also
secure encrypted transmissions, records.
be stored on portable media.
requiring encryption for records stored
POLICIES AND PRACTICES FOR RETRIEVAL OF on removable media, and training SUMMARY: In accordance with the
RECORDS: personnel in Privacy Act and Privacy Act, HHS is establishing a new
Records are retrieved by the data information security requirements. system of records to be maintained by
requester’s name, registrant/user name, HRSA System No. 09–15–0092 ‘‘HRSA
RECORD ACCESS PROCEDURES: Trainee Information Portal (TRIP).’’ The
User ID Number, email address, or data
use agreement (DUA) number. An individual who wishes to know if new system of records will cover data
this system of records contains records about health professionals/trainees
POLICIES AND PRACTICES FOR RETENTION AND about him or her should submit a receiving health care training supported
DISPOSAL OF RECORDS: written request to the relevant System by Bureau of Health Workforce (BHW)
Records needed to enforce data use Manager at the address indicated above. Federal awards (including, grants,
restrictions are retained for 20 years by The individual must verify his or her cooperative agreements, contracts,
AHRQ (see DAA–0510–2013–0003– identity by providing either a notarized scholarships and loans) (collectively
0001), 5 years by CMS (see Nl–440–10– request or a written certification that the referred to as awards), which BHW will
04), and 3 years by NIH (see DAA– requester is who he or she claims to be use in evaluating the success of its
0443–2013–0004–0004) after the and understands that the knowing and programs. The new system of records is
agreement is closed, and may be kept willful request for acquisition of a explained in the ‘‘Supplementary
longer if necessary for enforcement, record pertaining to an individual under Information’’ section of this notice and
audit, legal, or other purposes. The false pretenses is a criminal offense fully described in the System of Records
equivalent SAMHSA records will be under the Privacy Act, subject to a five Notice (SORN) published in this notice.
retained indefinitely until a disposition thousand dollar fine. DATES: In accordance with 5 U.S.C.
schedule is approved by the National
CONTESTING RECORD PROCEDURES: 552a(e)(4) and (11), this notice is
Archives and Records Administration
An individual seeking to amend the effective upon publication, subject to a
(NARA). SAMHSA anticipates
content of information about him or her 30-day period in which to comment on
proposing a 5 year retention period to
in this system should contact the the routine uses, described below.
NARA. Records of payments made
relevant System Manager and Please submit any comments by April
electronically are transmitted securely
reasonably identify the record, specify 13, 2018.
to a Payment Card Industry-compliant
payment gateway for processing and are the information contested, state the ADDRESSES: The public should address
not stored. Records of payments made corrective action sought, and provide written comments on the new system of
by check, purchase order, or wire the reasons for the amendment, with records to Director, National Center for
transfer are disposed of once the funds supporting justification. Health Workforce Analysis (NCHWA),
have been received. Records are BHW, HRSA, 5600 Fishers Lane,
NOTIFICATION PROCEDURES: Rockville, Maryland 20857.
disposed of using destruction methods
prescribed by NIST SP 800–88. An individual who wishes to know if FOR FURTHER INFORMATION CONTACT:
this system of records contains records General questions about the system of
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL about him or her should submit a
SAFEGUARDS:
records may be submitted to Director,
written request to the relevant System National Center for Health Workforce
Records are safeguarded in Manager at the address indicated above. Analysis (NCHWA), BHW, HRSA, 5600
accordance with applicable laws, rules The individual must verify his or her Fishers Lane, Rockville, Maryland
and policies, including the HHS identity by providing either a notarized 20857.
Information Technology Security request or a written certification that the
Program Handbook, all pertinent requester is who he or she claims to be SUPPLEMENTARY INFORMATION: Pursuant
National Institutes of Standards and and understands that the knowing and to the Government Performance and
Technology (NIST) publications, and willful request for acquisition of a Results Act (GPRA) of 1993 and the
daltland on DSKBBV9HB2PROD with NOTICES
OMB Circular A–130, Managing record pertaining to an individual under GPRA Modernization Act of 2010, BHW
Information as a Strategic Resource. false pretenses is a criminal offense requires all recipients of Health
Records are protected from under the Privacy Act, subject to a five Professions awards to report annual
unauthorized access through thousand dollar fine. performance data to BHW to enable
appropriate administrative, physical, BHW to determine the success of its
and technical safeguards. Safeguards EXEMPTIONS PROMULGATED FOR THE SYSTEM: programs. The performance data must
conform to the HHS Information None. include information about health
VerDate Sep<11>2014 18:17 Mar 13, 2018 Jkt 244001 PO 00000 Frm 00050 Fmt 4703 Sfmt 4703 E:\FR\FM\14MRN1.SGM 14MRN1](https://thefederalregister.org/doc/83_FR_11267/page/1.svg)
![Federal Register / Vol. 83, No. 50 / Wednesday, March 14, 2018 / Notices 11219
5. Records may be disclosed to need-to-know basis. All physical and accounting of disclosures that have been
another federal agency or federal entity, logical access to the system is removed made of their records, if any.
when HHS determines that information upon termination of employment. The
CONTESTING RECORD PROCEDURES:
from this system of records is system leverages the current HRSA
reasonably necessary to assist the EHBs process for authentication and An individual seeking to amend a
recipient agency or entity in (1) authorization of all external awardee record about him or her in this system
responding to a suspected or confirmed users. of records must submit a written request
breach or (2) preventing, minimizing, or to the System Manager (see above
Records are safeguarded in
remedying the risk of harm to ‘‘System Manager’’ section). An
accordance with applicable laws, rules
individuals, the recipient agency or amendment request must include
and policies, including the HHS
entity (including its information verification of the requester’s identity in
Information Technology Security
systems, programs, and operations), the the same manner required for an access
Program Handbook, all pertinent
federal government, or national security, request, and must reasonably identify
National Institutes of Standards and
resulting from a suspected or confirmed the record and specify the information
Technology (NIST) publications, and
breach. being contested, the corrective action
OMB Circular A–130, Managing
6. Records may be disclosed to the sought, and the reasons for requesting
Information as a Strategic Resource.
U.S. Department of Homeland Security the correction, along with supporting
Records are protected from
(DHS) if captured in an intrusion information to show how the record is
unauthorized access through
detection system used by HHS and DHS inaccurate, incomplete, untimely, or
appropriate administrative, physical,
pursuant to a DHS cybersecurity irrelevant.
and technical safeguards. Safeguards
program that monitors internet traffic to conform to the HHS Information NOTIFICATION PROCEDURES:
and from federal government computer Security and Privacy Program, http:// An individual who wishes to know if
networks to prevent a variety of types of www.hhs.gov/ocio/securityprivacy/. this system of records contains records
cybersecurity incidents. The safeguards include protecting the about himself or herself must submit a
The disclosures authorized by facilities where records are stored or written request to the System Manager
publication of the above routine uses accessed with security guards, badges (see above ‘‘System Manager’’ section)
pursuant to 5 U.S.C. 552a(b)(3) are in and cameras, securing hard-copy and verify his or her identity in the
addition to other disclosures authorized records in locked file cabinets, file same manner required for an access
directly in the Privacy Act at 5 U.S.C. rooms or offices during off-duty hours, request.
552a(b)(4)–(11). limiting access to electronic databases to
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
POLICIES AND PRACTICES FOR STORAGE OF authorized users based on roles and the
RECORDS: principle of least privilege, and two- None.
The agency will maintain the records factor authentication (user ID and HISTORY:
on database servers with disk storage password), using a secured operating None.
and backup tapes. system protected by encryption,
firewalls, and intrusion detection Dated: March 8, 2018.
POLICIES AND PRACTICES FOR RETRIEVAL OF systems, using an SSL connection for George Sigounas,
RECORDS: secure encrypted transmissions, Administrator.
The agency will retrieve records about requiring encryption for records stored [FR Doc. 2018–05062 Filed 3–13–18; 8:45 am]
an individual trainee by the trainee’s on removable media, and training BILLING CODE 4160–15–P
name or other personal identifier, such personnel in Privacy Act and
as unique ID or email address. information security requirements.
POLICIES AND PRACTICES FOR RETENTION AND
Records that are eligible for destruction DEPARTMENT OF HEALTH AND
DISPOSAL OF RECORDS: will be disposed of using secure HUMAN SERVICES
BHW is developing a record retention destruction methods prescribed by NIST
SP 800–88. National Institutes of Health
policy and disposition schedule for
Training Information Portal (TRIP) RECORD ACCESS PROCEDURES: Submission for OMB Review; 30-Day
records. Until a disposition schedule Comment Request; Generic Clearance
has been approved by the National An individual seeking access to
for the Collection of Qualitative
Archives and Records Administration records about himself or herself in this
Feedback on Agency Service Delivery
(NARA), the records will be retained system of records must submit a written
(NIH)
indefinitely. request to the System Manager (see
above ‘‘System Manager’’ section). An AGENCY: National Institutes of Health,
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL access request must contain the name HHS.
SAFEGUARDS: and address of the requester, email ACTION: Notice.
Authorized users include awardees address or other identifying
and internal users such as government information, and his/her signature. To SUMMARY: In compliance with the
and contractor personnel who will verify the requester’s identity, the Paperwork Reduction Act of 1995, the
provide support. Other than awardees, signature must be notarized or the National Institutes of Health (NIH) has
users are required to obtain favorable request must include the requester’s submitted to the Office of Management
adjudication for a Level 5 Position of written certification that he/she is the and Budget (OMB) a request for review
daltland on DSKBBV9HB2PROD with NOTICES
Public Trust. Government and person he/she claims to be and that he/ and approval of the information
contractor personnel who support the she understands that the knowing and collection listed below.
system must attend security training, willful request for or acquisition of DATES: Comments regarding this
sign a Non-Disclosure Agreement, and records pertaining to an individual information collection are best assured
sign the Rules of Behavior, which is under false pretenses is a criminal of having their full effect if received
renewed annually. Users are given role- offense subject to a $5,000 fine. within 30-days of the date of this
based access to the system on a limited Requesters may also ask for an publication.
VerDate Sep<11>2014 18:17 Mar 13, 2018 Jkt 244001 PO 00000 Frm 00052 Fmt 4703 Sfmt 4703 E:\FR\FM\14MRN1.SGM 14MRN1](https://thefederalregister.org/doc/83_FR_11267/page/3.svg)
Document Created: 2018-03-14 01:06:15
Document Modified: 2018-03-14 01:06:15
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| Action | Notice of a new system of records. | |
| Dates | In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is effective upon publication, subject to a 30-day period in which to comment on the routine uses, described below. Please submit any comments by April 13, 2018. | |
| Contact | General questions about the system of records may be submitted to Director, National Center for Health Workforce Analysis (NCHWA), BHW, HRSA, 5600 Fishers Lane, Rockville, Maryland 20857. | |
| FR Citation | 83 FR 11217 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR