SUPPLEMENTARY INFORMATION:

HRSA administers the Children's Hospitals Graduate Medical Education (CHGME) Payment Program and Teaching Health Center Graduate Medical Education (THCGME) Payment Program, which make payments to children's hospitals and teaching health centers that operate GME programs. The Programs' authorities require that payments be calculated based in part on the number of FTE residents in the children's hospitals' and teaching health centers' approved residency training programs. See42 U.S.C. 256e(c) and 256h(c). Further, the Programs' authorities require a yearly reconciliation, i.e., a yearly determination of any changes to the number of residents reported by a children's hospital or teaching health center in its application, to determine the final amount payable each year. See42 U.S.C. 256e(e)(3) and 256h(f). HRSA engages a contractor to assist with this determination, which is referred to as the GME FTE Resident Assessment.

To obtain information needed to perform the GME FTE Resident Assessment, the HRSA contractor compiles and maintains records about individuals who are medical and dental residents in participating children's hospitals and teaching health centers. These records are retrieved by the residents' personal identifiers and therefore constitute a “system of records” as defined by the Privacy Act at 5 U.S.C. 552a(a)(5). This system of records, titled “Graduate Medical Education (GME) Full-Time Equivalent (FTE) Resident Assessment Records,” is more fully described in this Privacy Act System of Records Notice.

As required by 5 U.S.C. 552a(r), the Department has submitted a report on the proposed system of records to the Office of Management and Budget, the House Committee on Oversight and Government Reform, and the Senate Committee on Homeland Security and Governmental Affairs.

SYSTEM NAME AND NUMBER:

Graduate Medical Education (GME) Full-Time Equivalent (FTE) Resident Assessment Records, 09-15-0070.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

The address of the agency component responsible for the system of records is: Division of Medicine and Dentistry, Bureau of Health Workforce, HRSA, 5600 Fishers Lane, Rockville, MD 20857. The contractor maintaining the system of records on behalf of HRSA is currently Integrity Management Services, Inc., located at 5911 Kingstowne Village Parkway, Suite 210, Alexandria, VA 22315.

SYSTEM MANAGER(S):

Contracting Officer's Representative, Division of Medicine and Dentistry, Bureau of Health Workforce, HRSA, 5600 Fishers Lane, Rockville, MD 20857.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

The authorities for maintaining the system are 42 U.S.C. 256e (section 340E of the Public Health Service Act) and 42 U.S.C. 256h (section 340H of the Public Health Service Act).

PURPOSE(S) OF THE SYSTEM:

The primary purpose of the system of records is to enable HRSA to carry out the CHGME Payment Program authorized by 42 U.S.C. 256e and the THCGME Program authorized by 42 U.S.C. 256h. Records about medical and dental residents will be used to determine any changes to the number of residents reported by participating children's hospitals and teaching health centers in their applications to determine the final amount of GME reimbursement payable to each hospital and health center. To assist with this determination, which is referred to as the GME FTE Resident Assessment, HRSA engages a contractor (“fiscal intermediary”). Records will be used to assess the accuracy of the number of FTE residents reported (including ensuring that no residents are counted as more than one FTE resident) and to resolve discrepancies identified in the number of FTE residents reported. Records may also be used for program evaluation activities, such as conducting audits; establishing or verifying information provided by or about residents; and combating fraud, waste, or abuse of CHGME or THCGME funds. Other secondary purposes for which the records may be used are to enable HRSA to assist federal or state agency officials who carry out federal GME programs.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Records will pertain to medical and dental residents training at children's hospitals participating in the CHGME Payment Program and teaching health ( printed page 29144) centers participating in the THCGME Program.

CATEGORIES OF RECORDS IN THE SYSTEM:

The system stores information about residents' rotational training assignments and years completed in residency. Categories of records include, for each resident: identifying information ( e.g., name and Social Security number of the resident); type of residency program in which the individual participates and the number of years the resident has completed in all types of residency programs; dates the resident is assigned to the hospital and any hospital-based providers; dates the resident is assigned to other hospitals, or other freestanding providers, and any non-provider setting during the cost reporting period, if any; name of the medical, osteopathic, dental, or podiatric school from which the resident graduated and the date of graduation; documentation concerning foreign medical school graduation date and certification date, if the resident is a foreign medical graduate; name of the employer ( e.g., hospital, university, corporation) paying the resident's salary; percentage of time spent working in any area of the hospital complex or in a non-provider setting under agreement with the hospital for GME; and start and end dates assigned to the hospital and any hospital-based providers (assignment periods) during the children's hospital's or teaching health center's cost reporting period, the start and end dates assigned to any non-hospital or non-provider setting in connection with approved residency programs (assignment periods) during the children's hospital's or teaching health center's cost reporting period, and the full-time or part-time percentage during each assignment period.

RECORD SOURCE CATEGORIES:

Information in the records is obtained from participating children's hospitals or teaching health centers, which provide it on forms approved under Office of Management and Budget (OMB), including OMB control no. 0915-0247, if the children's hospital or teaching health center does not file a Medicare cost report with the Centers for Medicare & Medicaid Services (CMS). The system also includes records originally received by CMS on OMB-approved forms under OMB control no. 0938-0050, which are obtained from CMS if the children's hospital or teaching health center files a Medicare cost report with CMS.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

In addition to other disclosures which are authorized directly in the Privacy Act at 5 U.S.C. 552a(b), these routine uses, published pursuant to 5 U.S.C. 552a(b)(3), specify circumstances under which records from this system of records may be disclosed to parties outside HHS without the consent of the individual to whom the records pertain:

• Routine Use 1: Records may be disclosed to HHS contractors (including fiscal intermediaries) or other entities (including consultants, researchers and support personnel) that have been engaged by HHS to assist in carrying out functions relating to the purposes of this system of records and require access to the records in order to assist HHS. Such functions include but are not limited to: performing the FTE Resident Assessment; conducting audits; establishing or verifying information provided by or about residents; and combating fraud, waste, or abuse of CHGME or THCGME funds. The contractors, subcontractors, or other entities as defined in 5 U.S.C. 552a(m)(1) will be prohibited from using or disclosing the records for any purpose other than the purpose(s) specified by HRSA, to comply with the Privacy Act of 1974, as amended, enforced through Federal Acquisition Regulation Subpart 24.1 and required to return or destroy all records as specified by HRSA.
• Routine Use 2: HHS contractors or HRSA may disclose records to children's hospitals participating in the CHGME Payment Program and teaching health centers participating in the THCGME Program, if such records relate to individuals training in the hospital's or teaching health center's residency program, to facilitate compliance with CHGME Payment Program or THCGME Program requirements.
• Routine Use 3: When a record on its face, or in conjunction with other records, indicates a violation or potential violation of law, whether civil, criminal or regulatory in nature, HRSA may disclose the record to the appropriate agency or public authority responsible for enforcing, investigating or prosecuting such violation (including but not limited to Federal, Tribal, State, local, or foreign agencies or public authorities), if the information disclosed is relevant to the responsibilities of the agency or public authority.
• Routine Use 4: Records may be disclosed to the Department of Justice or to a court or other adjudicative body in litigation or other proceedings when any of the following is a party to the proceedings or has an interest in the proceedings and, by careful review, the agency determines that the records are both relevant and necessay to the proceedings: (a) HHS or any component thereof; or (b) any employee of HHS in the employee's official capacity; or (c) any employee of HHS in the employee's individual capacity where the Department of Justice or HHS has agreed to represent the employee; or (d) the United States Government.
• Routine Use 6: Records may be disclosed to appropriate agencies, entities, and persons when: (1) HHS suspects or has confirmed that there has been a breach of the system of records; (2) HHS has determined that as a result of the suspected or confirmed breach, there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the federal government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.
• Routine Use 7: Records may be disclosed to another federal agency or federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in: (1) responding to a suspected or confirmed breach; or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the federal government, or national security, resulting from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Records are stored electronically in the system maintained by the HRSA contractor or subcontractor assisting with the GME FTE Resident Assessment. Contractors or subcontractors operating this system to collect, access and store records must obtain an Authority to Operate meeting security and privacy requirements in accordance with the Federal Information Security Modernization Act (44 United States Code 101), National Institute of Standards and Technology Special Publication 800-53, OMB Circular A-130, OMB Memoranda (17-12, 03-22), the Federal Risk and Authorization Management Program, Federal Information Processing Standards Publication 199, and HHS and HRSA applicable regulations and policies. ( printed page 29145)

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records are retrieved by the subject individual's name or Social Security number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

The GME FTE Resident Assessment Records are currently unscheduled and will be retained indefinitely until authorized for disposition under a schedule approved by the National Archives and Records Administration.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

HHS, HHS contractors, and subcontractors having access to the records have been trained in the Privacy Act and information security requirements. HHS, contractors, and subcontractor employees who maintain records in this system or have access to the records in the system are required to not release data until the intended recipient agrees to implement appropriate management, operational and technical safeguards sufficient to protect the confidentiality, integrity and availability of the information and information systems and to prevent unauthorized access in accordance with applicable law. This system will conform to all applicable Federal laws and regulations and Federal, HHS, and HRSA policies and standards as they relate to information security and data privacy. Measures to prevent unauthorized disclosures of GME FTE Resident Assessment records are implemented as appropriate for each location or form of storage and for the types of records maintained. Safeguards conform to the HHS Information Security and Privacy Program, https://www.hhs.gov/​ocio/​securityprivacy/​index.html. Site(s) implement personnel and procedural safeguards such as the following:

• Authorized Users: Access is strictly limited to authorized HHS and contractor personnel whose duties require such access ( i.e., who have a valid, business need-to-know).
• Administrative Safeguards: Administrative controls include the completion of a Security Assessment and Authorization package and a Privacy Impact Assessment for information technology systems used to maintain the records, and mandatory completion of annual HRSA Information Security and Privacy Awareness training for personnel authorized to access the records. The Security Assessment and Authorization package consists of a Security Categorization, e-Authentication Risk Assessment, System Security Plan, evidence of Security Control Testing, Plan of Action and Milestones, Contingency Plan, and evidence of Contingency Plan Testing. When the agency engages an outside contractor to support design, development, or operation of the system of records, the applicable Privacy Act Federal Acquisition Regulation clauses are inserted in solicitations and contracts.
• Physical Safeguards: Controls to secure the data and protect electronic records, buildings, and related infrastructure against threats associated with their physical environment include and/or HHS Personnel Security Clearance of HRSA employees, contractors, and subcontractors and the use of the HHS Personal Identity Verification card. Access to the restricted office area containing the rooms where records are stored is controlled through the use of limited access proximity cards. Only authorized users have access to these cards. Individuals who enter the restricted area without a limited access proximity card are under escort at all times. During regular business hours, rooms in this restricted area are unlocked but entry is controlled by on-site personnel. Rooms where records are stored are locked when not in use. Records are kept under the direct control of the System Manager, authorized federal employees, and/or delegated contractors and subcontractors. Contractor interaction with this system of records will occur on-site and no electronic records will be allowed to be removed from the GME FTE Resident Assessment System unless authorized. All authorized users of personal information in connection with the performance of their jobs will be required to protect information from public view and from unauthorized personnel entering an unsupervised area/office.
• Technical Safeguards: Electronic media are kept on secure servers or computer systems. Controls are employed to minimize the possibility of unauthorized access, use, or dissemination of the data in the system. They include user identification, password protection, firewalls, virtual private network, encryption, intrusion detection system, common access cards, smart cards, biometrics, and public key infrastructure. Computer records are accessible only through a series of code or keyword commands available from and under the direct control of the System Manager, authorized federal employees or delegated contractors and/or subcontractors. These records are secured by a multi-level security system which is capable of controlling access to the individual data field level. Persons having access to the computer database can be restricted to a confined application which permits only a narrow “view” of the data.

RECORD ACCESS PROCEDURES:

An individual seeking access to records about an individual in this system of records must submit a written access request to either the System Manager (see above “System Manager(s)” section), the HRSA Privacy Act Office (see above “ Addresses ” section), or the HHS FOIA/Privacy Act Public Access web portal at https://www.foia.gov/​agency-search.html?​id=​8ea3cba7-f377-40b9-b3cc-0b608c21342e&​type=​component. The request must contain the requester's (subject individual's) name, address, date of birth, and signature, and should also provide a reasonable description of the contents of the record being sought. To verify the requester's identity, the requester's signature must be notarized, or the request must include the requester's written certification that the requester is the person the requester claims to be and that the requester understands that the knowing and willful request for or acquisition of records pertaining to an individual from an agency under false pretenses is a criminal offense subject to a fine of up to $5,000. An individual may request that copies of the records be sent to them, or direct that the records be sent to a third party in accordance with the individual's signed, written consent (a pre-existing power of attorney may qualify as such a consent), or request an appointment to review the records in person (including with a person of their choosing, if they provide written authorization for agency personnel to discuss the records in that person's presence). An individual may also request an accounting of disclosures that have been made of records about them, if any. A court-appointed guardian for a subject individual who requests access to the individual's record must, in addition to verifying the individual's identity, verify the guardian's relationship to the individual and the guardian's own identity.

CONTESTING RECORD PROCEDURES:

Individuals (or their court-appointed guardians, if applicable) may seek to amend a record about them in this system of records by submitting a written amendment request to the System Manager (see above “System Manager(s)” section). The request must contain the same information required for an access request and must include verification of the requester's (and, if ( printed page 29146) applicable, the guardian's) identity in the same manner required for an access request. In addition, the request must reasonably identify the record, specify the information being contested, state the corrective action sought and the reason(s) for requesting the correction, and include supporting documentation to show how the record is inaccurate, incomplete, untimely, or irrelevant. Only information that is factually inaccurate, incomplete, untimely, or irrelevant may be contested.

NOTIFICATION PROCEDURES:

Individuals (or their court-appointed guardians, if applicable) who wish to know if this system of records contains records about them must submit a written notification request to the System Manager (see above “System Manager(s)” section). The request must contain the same information required for an access request and must include verification of the requester's (and, if applicable, the guardian's) identity in the same manner required for an access request.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

None.

91 FR 29143