Privacy Act: Systems of records,

[Federal Register: August 22, 2003 (Volume 68, Number 163)]

[Notices]

[Page 50795-50804]

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

[DOCID:fr22au03-90]

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare and Medicaid Services

Privacy Act of 1974; Report of New System

AGENCY: Centers for Medicare and Medicaid Services (CMS), Department of Health and Human Services (HHS).

ACTION: Notice of new system of records.

SUMMARY: In accordance with the requirements of the Privacy Act of 1974, we are proposing to establish a new system of records. The proposed system is titled, ``ASPEN Complaints/Incidents Tracking System (ACTS), HHS/CMS/CMSO, 09-70-1519.'' The primary purpose of the system of records is to track and process complaints and incidents reported against Medicare/Medicaid/CLIA providers and suppliers, and to maintain information on laboratory directors and owners. ACTS is a windows- based, program designed to track and process complaints and incidents reported against health care facilities regulated by the Centers for Medicare and Medicaid Services (CMS). It is designed to manage all operations associated with complaint/incident tracking and processing, from initial intake and investigation through the final disposition. ACTS allows CMS to track complaints/incidents, allegations, investigations, disposition and certain information for CLIA laboratories.

Information retrieved from this system of records will also be used to aid in the administration of the survey and certification of Medicare/Medicaid/CLIA providers and suppliers; support agencies of the State governments to determine, evaluate and assess overall effectiveness and quality of provider/supplier services provided in the State; aid in the administration of Federal and

[[Page 50796]]

State programs within the State; support constituent requests made to a Congressional representative, support litigation involving the agency, and facilitate research on the quality and effectiveness of care provided. We have provided background information about the proposed system in the SUPPLEMENTARY INFORMATION section below. Although the Privacy Act requires only that the ``routine use'' portion of the system be published for comment, CMS invites comments on all portions of this notice. See EFFECTIVE DATES section for comment period.

EFFECTIVE DATES: CMS filed a new system report with the Chair of the House Committee on Government Reform and Oversight, the Chair of the Senate Committee on Governmental Affairs, and the Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget (OMB) on August 8, 2003.

ADDRESSES: The public should address comments to: Director, Division of Privacy Compliance Data Development (DPCDD), CMS, Room N2-04-27, 7500 Security Boulevard, Baltimore, Maryland 21244-1850. Comments received will be available for review at this location, by appointment, during regular business hours, Monday through Friday from 9 a.m.-3 p.m., eastern time zone.

FOR FURTHER INFORMATION CONTACT: Wayne Smith, Finance, Systems and Budget Group, Center for Medicaid and State Operations, Centers for Medicare and Medicaid Services, 7500 Security Boulevard, Room S3-18-11, Baltimore, Maryland 21244-1850, Telephone Number: (410) 786-3258.

Steven Pelovitz, Survey and Certification Group, Center for Medicaid and State Operations, Centers for Medicare and Medicaid Services, 7500 Security Boulevard, Room S2-12-25, Baltimore, Maryland 21244-1850, Telephone Number: (410) 786-3160.

SUPPLEMENTARY INFORMATION:

  1. Description of the Proposed System of Records

    1. Glossary of Terms

      ACTS--ASPEN Complaints/Incidents Tracking System.

      ASPEN--Automated Survey Processing Environment.

      CLIA--Clinical Laboratory Improvement Amendments of 1988.

      OSCAR--Online Survey Certification and Reporting System.

    2. Background

      The implementation of ACTS is critical to CMS's mission of assuring that beneficiaries receive quality care in a safe environment. Several reports in recent years have highlighted this need. In March 1999, the General Accounting Office (GAO) issued a report entitled, ``Complaint Investigation Processes Often Inadequate to Protect Residents.'' GAO assessed the effectiveness of State complaint investigation practices and the role of CMS in establishing standards and conducting oversight. The GAO recommended stronger requirements, increased federal monitoring and improved tracking of findings for complaints. In addition, in 1999, the Office of the Inspector General (OIG) issued a report entitled ``The External Review of Hospital Quality.'' OIG recommended that CMS hold accreditation agencies and State agencies more fully accountable for their performance in reviewing hospitals. One of the areas that OIG made specific recommendations about was the handling of complaints. ACTS is part of CMS'' response to these recommendations.

      The ACTS responds to the concerns and problems found by the GAO, OIG and CMS'' own needs. The ability to capture data that are useful, analyze data in a meaningful way, and use the products of the analysis to make refinements and improvements is critical to continuous quality improvement. Before ACTS, complaint data was maintained in the OSCAR Complaint System. The OSCAR Complaint System collected a minimal amount of data that was the result of an onsite survey. The data in ACTS is much more comprehensive than data that was maintained in the OSCAR Complaint System. ACTS automates complaint management operations. ACTS is a windows-based, client-server application that tracks, processes, and reports on complaints/incidents made against certified health care providers and suppliers. It is designed to manage all operations associated with complaints/incidents processing, from initial intake and investigation through final disposition. It is fully integrated into the ASPEN standard system architecture. Specific fields are configurable by individual states to accommodate a variety of operations environments.

      ACTS is a national tracking system used by all States. It permits the collection procedures for complaints to be timely, consistent and complete. ACTS will eliminate redundant data collection systems, and it takes advantage of new technology and open systems architecture. ACTS will be used for all certified providers and suppliers. These providers and suppliers include: Skilled nursing facilities, nursing facilities, hospitals, home health agencies, end-stage renal disease facilities, hospices, rural health clinics, comprehensive outpatient rehabilitation facilities, outpatient physical therapy services, community mental health centers, federally qualified health centers, ambulatory surgical centers, portable X-Ray facilities, intermediate care facilities for persons with mental retardation, and CLIA laboratories. Data in ACTS is collected and entered by the State Survey Agencies and CMS Regional Offices.

    3. Statutory and Regulatory Basis for System of Records

      Section 1864 of the Social Security Act (the Act) states the Secretary may use State agencies to determine compliance by providers of services with the conditions of participation. Under section 1864(a) the Act, the Secretary uses the help of State health agencies, or other appropriate agencies, when determining whether health care entities meet Federal Medicare standards. Also, section 1902(a)(9)(A) of the Act requires that a State use this same agency to set and maintain additional standards for the State Medicaid program. Section 1902(a)(33)(B) requires that the State use the agency utilized for Medicare or, if such agency is not the State agency responsible for licensing health institutions, the State use the agency responsible for such licensing to determine whether institutions meet all applicable Federal health standards for Medicaid participation, subject to validation by the Secretary. The State survey agencies perform both Federal certification and State licensure functions, including the investigation of complaints and entity-reported incidents. Sections 1819(d) and 1919(d) of the Act require licensure under applicable State and local laws.

      Sections 1864 (c) and 1865 of the Act provides the basis for conducting complaint surveys of accredited hospitals and establishes the basic framework of complaint surveys for virtually all other accredited providers and suppliers. Regulations authorizing such surveys are found in 42 CFR 488.7(a)(2). 42 CFR 488.332 authorizes investigation of complaints of violations and monitoring of compliance. 42 CFR 488.335 authorizes actions on complaints of resident neglect and abuse, and misappropriation of resident property for nursing homes. 42 CFR 482.13(f) requires a hospital to report any death that occurs while a patient is restrained or in seclusion for behavior management, or where it is reasonable to assume that a patient's death is a

      [[Page 50797]]

      result of restraint or seclusion. 42 CFR 483.13 also requires nursing homes to ensure that all alleged violations involving mistreatment, neglect, abuse, including injuries of unknown source, and misappropriation of resident property are reported immediately to the administrator of the facility and to other officials in accordance with State law through established procedures, including to the State survey and certification agency. Section 353 of the Public Health Service Act (42 U.S.C. 263a) authorizes collection of information from any person or entity seeking certification under CLIA.

      The Privacy Act of 1974 requires Federal agencies to implement and publish procedures for the collection, maintenance, and storage of personal information. It requires that the information be gathered only for lawful purposes and that the disclosure of personally identifiable records must be limited and safeguarded. The Privacy Act allows disclosure of an individual's data without consent, given that the data will be used for a purpose that is compatible with the purpose for which the information was collected.

  2. Collection and Maintenance of Data in the System

    1. Scope of the Data Collected

      ACTS tracks allegations of complaints made against providers and suppliers. ACTS includes demographic data for identification of providers/suppliers, such as the Medicare identification number, name of the facility, address, city, state and ZIP code. ACTS contains data for identification of complainants, residents/patients, contacts/ witnesses, alleged perpetrators, survey team members, laboratory directors, and laboratory owners. Complainant information includes: Name, title, address, city, state, ZIP code, telephone numbers, e-mail address, and relationship to beneficiary, if applicable. Contacts/ Witnesses information includes: Name, title, address, city, state, ZIP code, telephone numbers, fax, and a field to indicate if the individual is a possible witness. Resident/patient information includes: Name, title, date of birth, gender, date admitted, date discharged, location, and room. ACTS also contains information related to any resident/ patient deaths that are associated with the use of restraints or seclusion. This information includes: Name, death type (restraint or seclusion) and date of death. Alleged Perpetrator information includes: Name, title, address, city, state, ZIP code, telephone numbers, license number, social security number and Alias name, if any. Survey Team information includes: Name, title, and surveyor identification number. Contact/Witnesses, Resident/Patient and Alleged Perpetrator are not mandatory fields in the ACTS database. These are optional data fields. ACTS will also maintain information for CLIA laboratories. Identifiable information for CLIA laboratories includes: Laboratory director's name, laboratory owner's name and Federal Tax Identification Number.

      ACTS will maintain Federal complaint information, as well as state licensure complaint information. State licensure information is both relevant and necessary to meet CMS' purposes. Under section 1864(a) of the Social Security Act (the Act), the Secretary uses the help of State health agencies, or other appropriate agencies, when determining whether health care entities meet Federal Medicare standards. Also, section 1902(a)(9)(A) of the Act requires that a State use this same agency to set and maintain additional standards for the State Medicaid program. Section 1902(a)(33)(B) requires that the State use the agency utilized for Medicare or, if such agency is not the State agency responsible for licensing health institutions, the State use the agency responsible for such licensing to determine whether institutions meet all applicable Federal health standards for Medicaid participation, subject to validation by the Secretary. The State survey agencies perform both Federal certification and State licensure functions, including the investigation of complaints and entity-reported incidents. In fact, sections 1819(d) and 1919(d) of the Act require licensure under applicable State and local laws. In order to encourage efficiency in State operations, ACTS permits collection of Federal and State information, so that the States may maintain only one database, instead of multiple systems. CMS does seek to eliminate duplicative processes and unnecessary burden, to the extent possible, so that the States can achieve more effective management of their certification and licensure responsibilities.

      There are mechanisms in ACTS that allow users to distinguish between information that is collected for the purpose of meeting the 1864 Agreement from information that is collected for State licensure purposes. ACTS supports the entry of both Federal and State licensure information, thus reflecting the actual business practices of State agencies as they track complaints and incidents. In many areas, ACTS allows entry of both types of information while still maintaining discrete records to support separate and different views, reports and statistics. Federal and State licensure data are stored in the same tables in the database. However, Federal and State licensure data is easily discernable and separate. For reporting purposes, ACTS allows users to exclude complaint and incidents against state licensure only facilities using Facility Type filters. Report customization features in ACTS also allow users to include or exclude complaints or incidents that contain only State-licensure elements.

    2. Agency Policies, Procedures, and Restrictions on the Routine Use

      The Privacy Act permits us to disclose information without an individual's consent if the information is to be used for a purpose, which is compatible with the purpose(s) for which the information was collected. Any such disclosure of data is known as a ``routine use.'' CMS has the following policies, procedures and restrictions on routine use disclosures of information that will be maintained in the system. In general, disclosure of information from the system of records will be approved only for the minimum information necessary to accomplish the purpose of the disclosure after CMS:

      (a) Determines that the use or disclosure is consistent with the reason that the data is being collected, e.g., track and process complaints and incidents reported against Medicare/Medicaid/CLIA providers and suppliers, and to maintain information on laboratory directors and owners.

      (b) Determines:

      (1) That the purpose for which the disclosure is to be made can only be accomplished if the record is provided in individually identifiable form;

      (2) That the purpose for which the disclosure is to be made is of sufficient importance to warrant the effect and/or risk on the privacy of the individual that additional exposure of the record might bring; and

      (3) That there is a strong probability that the proposed use of the data would in fact accomplish the stated purpose(s).

      (c) Requires the information recipient to:

      (1) Establish administrative, technical, and physical safeguards to prevent unauthorized use of disclosure of the record;

      (2) Remove or destroy at the earliest time all patient-identifiable information; and

      (3) Agree not to use or disclose the information for any purpose other than the stated purpose under which the information was disclosed.

      (d) Determines that the data are valid and reliable.

      [[Page 50798]]

      (e) Secure a written statement or agreement from the prospective recipient if the information whereby the prospective recipient attests to an understanding of, and willingness to abide by, the foregoing provisions and any additional provisions that CMS deems appropriate in the particular circumstance.

  3. Proposed Routine Use Disclosures of Data in the System

    1. Entities Who May Receive Disclosure Under Routine Use

      The routine use disclosures of identifiable data for ACTS may occur to the following categories of entities. In addition, our policy will be to prohibit release even of non-identifiable data beyond the listed categories, if there is a possibility that an individual can be identified through implicit deduction based on small cell sizes.

      1. To the Department of Justice (DOJ), court or adjudicatory body when

        (a) The agency or any component thereof; or

        (b) Any employee of the agency in his or her official capacity; or

        (c) Any employee of the agency in his or her individual capacity whether the DOJ has agreed to represent the employee; or

        (d) The United States Government

        is a party to litigation or has an interest in such litigation, and by careful review, CMS determines that the records are both relevant and necessary to the litigation and the use of such records by the DOJ, court or adjudicatory body is therefore deemed by the agency to be for a purpose that is compatible with the purpose for which the agency collected the records.

        Whenever CMS is involved in litigation, and occasionally when another party is involved in litigation and CMS' policies or operations could be affected by the outcome of the litigation, CMS would be able to disclose information to the DOJ, court or adjudicatory body involved. A determination would be made in each instance that, under the circumstances involved, the purposes served by the use of the information in the particular litigation is compatible with a purpose for which CMS collects the information.

      2. To agency contractors, or consultants who have been engaged by the agency to assist in the performance of a service related to this system of records and who need to have access to the records in order to perform the activity. Recipients shall be required to comply with the requirements of the Privacy Act of 1974, as amended, pursuant to 5 U.S.C. 52a(m).

        We contemplate disclosing information under this routine use only in situations in which CMS may enter into a contract or similar agreement with a third party to assist in accomplishing CMS functions relating to purposes for this system of records. CMS occasionally contracts out certain of its functions when doing so would contribute to effective and efficient operations. CMS must be able to give a contractor whatever information is necessary for the contractor to fulfill its duties. In these situations, safeguards are provided in the contract prohibiting the contractor from using or disclosing the information for any purpose other than that described in the contract and requires the contractor to return or destroy all information at the completion of the contract.

      3. To a CMS contractor (including, but not limited to fiscal intermediaries and carriers) that assists in the administration of a CMS administered health benefits program, or to a grantee of a CMS administered grant program, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud or abuse in such program.

        We contemplate disclosing information under this routine use only in situations in which CMS may enter into a contract or similar agreement with a third party to assist in accomplishing CMS functions relating to purposes for this system of records.

      4. To a Quality Improvement Organization (QIO) in order to assist the QIO to perform Title XI and Title XVIII functions relating to assessing and improving quality of care. QIO's work to implement quality improvement programs; provide consultation to CMS, its contractors, and to State agencies. The QIO's provide a supportive role to health care facilities in their endeavors to comply with Medicare Conditions of Participation; assist State agencies in related monitoring and enforcement efforts; assist CMS in program integrity assessment; and prepare summary information about the nation's health care for release to beneficiaries.

      5. To the agency of a State Government, or established by State law, for purposes of determining, evaluating and/or assessing overall or aggregate cost, effectiveness, and/or the quality of services provided in the State; for developing and operating Medicaid reimbursement systems; or for the purpose of administration of Federal/ State program within the State. Data will be released to the State only on those individuals who are either patients within the State, or are legal residents of the State, regardless of the location of the facility in which the patient is receiving services.

      6. To a Federal or State agency (e.g., State Medicaid agencies) to contribute to the accuracy of CMS's health insurance operations (payment, treatment and coverage) and/or to support State agencies in the evaluation and monitoring of care. Data may be released to State agencies such as State Ombudsmen, State Licensing Boards, and Adult Protective Services.

        Other Federal or State agencies in their administration of a Federal health program may require ACTS information in order to support evaluations and monitoring of Medicare claims information of beneficiaries. Releases of information would be allowed if the proposed use(s) for the information proved compatible with the purpose for which CMS collects the information.

      7. To another Federal agency (e.g., Office of the Inspector General, General Accounting Office) or to an instrumentality of any governmental jurisdiction within or under the control of the United States (including any State or local governmental agency), that administers, or that has the authority to investigate potential fraud or abuse in, a health benefits program funded in whole or in part by Federal funds, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud or abuse in such programs.

        Other agencies (e.g., Medicaid Fraud Control Units) may require ACTS information for combating fraud and abuse in such federally funded programs. Releases of information would be allowed if the proposed use(s) for the information proved compatible with the purposes of collecting the information.

      8. To an individual or organization for research, evaluation, or epidemiological project related to the prevention of disease or disability, or the restoration or maintenance of health, and for payment related projects.

        CMS anticipates that many researchers will have legitimate requests to use these data in projects that could ultimately improve the care provided to Medicare and Medicaid patients and the policy that governs the care. CMS understands the concerns about the privacy and confidentiality of the release of data for a research use. Disclosure of ACTS data for research and evaluation purposes will usually involve aggregate data rather than individual-specific data.

        [[Page 50799]]

      9. To a member of Congress or to a congressional staff member in response to an inquiry of the Congressional Office made at the written request of the constituent about whom the record is maintained.

        Beneficiaries, as well as other individuals, may request the help of a member of Congress in resolving an issue relating to a matter before CMS. The member of Congress then writes CMS, and CMS must be able to give sufficient information to be responsive to the inquiry.

      10. To a national accreditation organization that has been granted deeming authority by CMS for the purpose of improving the quality of care provided through the provision of health care accreditation and related services that support performance improvement and monitors the quality of deemed providers/suppliers through the investigation of complaints (e.g., JCAHO, AOA, AAAASF, AAAHC, AABB, ASHI, CAP, CARF, CHAP, COLA).

      11. To a Protection and Advocacy Group that provides legal representation and other advocacy services for the purposes of monitoring, investigating and attempting to remedy adverse conditions, and for responding to allegations of abuse, neglect and violations of the rights of persons with disabilities.

      12. To another agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States (including any State or local law enforcement agencies) for a civil or criminal law enforcement activity (e.g., police, FBI, State Attorney General's office).

    2. Additional Provisions Affecting Routine Use Disclosures

      In addition, CMS policy will be to prohibit release even of non- identifiable data, except pursuant to one of the routine uses, if there is a possibility that an individual can be identified through implicit deduction based on small cell sizes (instances where the patient population is so small that individuals who are familiar with the enrollees could, because of the small size, use this information to deduce the identity of the beneficiary).

      This System of Records contains Protected Health Information as defined by the Department of Health and Human Services' regulation ``Standards for Privacy of Individually Identifiable Health Information'' (45 CFR parts 160 and 164, 65 FR 82462 (12-28-00), subparts A and E. Disclosures of Protected Health Information authorized by these routine uses may only be made if, and as, permitted or required by the ``Standards for Privacy of Individually Identifiable Health Information.''

  4. Safeguards

    The ACTS system conforms to applicable laws and policy governing the privacy and security of Federal automated information systems. These include but are not limited to: the Privacy Act of 1974, Computer Security Act of 1987, the Paperwork Reduction Act of 1995, the Clinger- Cohen Act of 1996, and OMB Circular A-130, Appendix III, ``Security of Federal Automated Information Resources''. CMS has prepared a comprehensive System Security Plan as required by OMB Circular A-130, Appendix III. This plan conforms to guidance issued by the National Institute for Standards and Technology (NIST) in NIST Special Publication 800-18, ``Guide for Developing Security Plans for Information Technology Systems.'' Paragraphs A-C of this section highlight some of the specific methods that CMS is using to ensure the security of this system and the information within it.

    1. Authorized Users and Access Control

      Personnel having access to the system have been trained in Privacy Act and system security requirements. Employees and contractors who maintain records in the system are instructed not to release any data until the intended recipient agrees to implement appropriate administrative, technical, procedural, and physical safeguards sufficient to protect the confidentiality of the data and to prevent unauthorized access to the data. In addition, CMS monitors authorized users to ensure against excessive or unauthorized use. Records are used in a designated work area and system location is attended at all times during working hours.

      To ensure security of the data, authentication and access control profiles are maintained within both the database and the ACTS application system used to view information in the database. Within the database access, control is implemented by assigning the proper access profile for each individual user as determined at the State agency level. This prevents unauthorized users from accessing and modifying critical data using other system tools not provided by CMS.

      Database-level Protections: The State database upon which ACTS operates includes five classes of database users:

      [sbull] Database Administrator class owns the database objects; e.g., tables, triggers, indexes, stored procedures, packages and has database administration privileges to these objects;

      [sbull] Quality Control Administrator class has read and write access to key fields in the database;

      [sbull] ASPEN User class provides read and write access to tables and fields, which are required to support complaint, survey and related activities.

      [sbull] Quality Indicator Report Generator class has read-only access to all fields and tables;

      [sbull] Policy Research class has query access to tables, but are not allowed to access confidential patient identification information.

      ACTS Application-Level Protections: All ASPEN applications, including ACTS, provide user login/password authentication, which is tied directly to each State's internal network user login process. Internal application access controls, which secure system functions to pre-approved user groups, are also a key safeguard controlling user access to functions and data. ACTS application and related database safeguards include:

      [sbull] Application login: All ASPEN users must be authenticated to their State or CMS regional office network as a pre-requisite for starting an ASPEN application. This is enforced internally by the ASPEN application. Thus, only known, pre-authenticated users may start an ASPEN application.

      [sbull] Application access control: Once authenticated, ASPEN users may only view information and perform tasks according to pre-assigned security and access control profiles determined by the system administrator. Security profiles may be assigned down to the level of individual menu functions, action buttons and form displays. This means ASPEN allows State and CMS RO administrators to finely tune which users may view certain information and perform specific tasks within the system (such as adding or modifying complaint information). Thus, while a complaint investigator may be able to update findings for a specific complaint, they may be prohibited through their security profile from removing complaints from the system.

      [sbull] Provider Type Access Control: In addition to the data and access control security just described, ASPEN allows administrators to specify user access to information based on provider category. For example, while an investigator may have a security profile that enables the investigator to add findings to a complaint, the system administrator may limit this user to specific categories of providers/ suppliers, such as nursing homes--thus, preventing the user from changing findings of complaints for other types of providers/suppliers. An

      [[Page 50800]]

      ASPEN user must have both a security profile that allows a specific function to be performed, and be assigned to appropriate Provider Type access before a specific system action may be taken against a provider/ supplier type.

      [sbull] Secondary Database Access Control: Since ASPEN provides an Application-centric security model, it is not necessary to assign each ASPEN user an individual Oracle user name, password and Oracle profile. Instead, all ASPEN users share a single Oracle login whose password is known only by CMS. This protects against a significant threat to data integrity: access to the Oracle database using non-ASPEN system tools; thus, preventing accidental or malicious bypassing of the ASPEN security controls through third-party system tools which may be capable of connecting to Oracle databases. ACTS users may only access ASPEN data via the security-controlled environment of the ACTS application.

      [sbull] Audit trail: ACTS maintains an audit trail for key information elements in the database. Any changes made to these elements via the ACTS system are logged. The log includes information on which element was changed, who changed it, the time of change and prior and current values for the element.

    2. Physical Safeguards

      All server sites have implemented the following minimum requirements to assist in reducing the exposure of computer equipment and thus achieve an optimum level of protection and security for the ACTS system:

      Access to all servers is controlled, with access limited to only those support personnel with a demonstrated need for access. Servers are to be kept in a locked room accessible only by specified management and system support personnel. Each server requires a specific log-on process. All entrance doors are identified and marked. A log is kept of all personnel who were issued a security card, key and/or combination that grants access to the room housing the server, and all visitors are escorted while in this room. All servers are housed in an area where appropriate environmental security controls are implemented, which include measures implemented to mitigate damage to Automated Information Systems resources caused by fire, electricity, water and inadequate climate controls.

      Protection applied to the system administration workstations and the Windows 2000 servers, which house the ACTS Oracle database, include:

      [sbull] User Log-ons--Authentication is performed by the Windows 2000 Primary Domain Controller/Backup Domain Controller of the log-on domain.

      [sbull] Workstation Names--Workstation naming conventions may be defined and implemented at the State agency level.

      [sbull] Hours of Operation--May be restricted by Windows 2000. When activated all applicable processes will automatically shut down at a specific time and not be permitted to resume until the predetermined time. The appropriate hours of operation are determined and implemented at the State agency level.

      [sbull] Inactivity Log-out--Access to the 2000 workstation is automatically logged out after a specified period of inactivity.

      [sbull] Warnings--Legal notices and security warnings display on all servers and workstations.

      There are several levels of security found in the overall ASPEN system. Windows 2000 servers provide much of the overall system security. The Windows 2000 security model is designed to meet the C2- level criteria as defined by the U.S. Department of Defense's Trusted Computer System Evaluation Criteria document (DoD 5200.28-STD, December 1985). Other non-ACTS CMS functions are supported on the same Windows 2000/Oracle servers as ACTS--such as MDS submission from facilities. Such operations are performed via separate Netscape Enterprise Server, which provides an additional layer of user authentication, security and access control. In this case, Netscape controls all CMS information access requests. Anti-virus system is applied at both the system administration workstation and Windows 2000 server levels.

      Access to different areas on the Windows NT server is maintained through the use of file, directory and share level permissions. These different levels of access control provide security that is managed at the user and group level within the Windows 2000 server domain. The file and directory level access controls rely on the presence of a Windows NT File System (NTFS) hard drive partition. This provides the most robust security and is tied directly to the file system. Windows 2000 security is applied at both the workstation and Windows 2000 server levels.

      Firewalls have been installed on each State server. Appendix A lists the location of each State server. A firewall is a security feature that does not allow unwanted or unsolicited network traffic to flow to certain parts of the system. A Cisco 3640 router is installed at each state. These routers have been programmed to allow the state IP addresses to access certain locations within the CMS network. CMS contractors set up and manage the routers. Using CMS specifications, they have installed the allowed IP's to the router tables. If an unauthorized IP tries to access the CMS data, the firewall (router) will pass the request away from its intended destination. That is, if the firewall does not match the IP of the request to an allowed IP in its table, the request will not be fulfilled. CMS contractors monitor the firewalls and review them for anomalies that could represent a hacking attempt or a hardware problem.

    3. Procedural Safeguards

      All automated systems must comply with Federal and State laws, guidance, and policies for information systems security, as stated previously in this section. Each State must ensure a level of security commensurate with the level of sensitivity of the data, risk, and magnitude of the harm that may result from the loss, misuse, disclosure, or modification of the information contained in the system.

  5. Effects of the Proposed System of Records on Individual Rights

    CMS proposes to establish this system in accordance with the principles and requirements of the Privacy Act and will collect, use, and disseminate information only as prescribed therein. Data in this system will be subject to the authorized releases in accordance with the routine uses identified in this system of records. CMS and the State Survey Agencies will monitor the collection and reporting of ACTS data.

    CMS and the State Survey Agencies will take precautionary measures to minimize the risks of unauthorized access to the records and the potential harm to individual privacy or other personal or property rights of individuals whose data are maintained in the system. CMS will collect only that information necessary to perform the system's functions.

    To ensure data that resides in a CMS Privacy Act System of Records; to ensure the integrity, security, and confidentiality of information maintained by CMS; and to permit appropriate disclosure and use of such data as permitted by law, CMS and the non-CMS recipient of the data, hereafter termed ``User,'' enter into an agreement to comply with the following specific requirements. The agreement addresses the conditions under which CMS will disclose and the user will obtain and use the information contained in the system of records. The parties mutually agree that CMS retains ownership rights to the data and that the user does not

    [[Page 50801]]

    obtain any right, title, or interest in any of the data furnished by CMS. The user represents and warrants further that the facts and statements made in any study or research protocol or project plan submitted to CMS for each purpose are complete and accurate. The user shall not disclose, release, reveal, show, sell, rent, lease, loan, or otherwise grant access to the data disclosed from the system of records to any person. The user agrees that access to the data shall be limited to the minimum number of individuals necessary to achieve the purpose stated in the protocol and to those individuals on a need to know basis only. If CMS determines or has reasonable belief that the user has made an unauthorized disclosure of the data, CMS in its sole discretion may require the user to: (a) Promptly investigate and report to CMS any alleged or actual unauthorized disclosures; (b) promptly resolve any problems identified by the investigation; (c) submit a formal response to any allegation of unauthorized disclosures; (d) submit a corrective action plan with steps to prevent any future unauthorized disclosures; and (e) return data files to CMS. If CMS determines or has reasonable belief that unauthorized disclosures have taken place, CMS may refuse to release further CMS data to the user for a period to be determined by CMS.

    The Privacy Act provides criminal penalties for certain violations. The Act provides that ``Any officer or employee of an agency, who by virtue of his (or her) employment or official position, has possession of, or access to agency records which contain individually identifiable information the disclosure of which is prohibited by this section or by rules or regulations established there under, and who knowing that disclosure of the specific materials is so prohibited, willfully discloses the material in any manner to a person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000'' (5 U.S.C. 552a(i)(1)). The Act also provides that ``Any person who knowingly and willfully requests or obtains any record concerning an individual from an agency under false pretenses shall be guilty of a misdemeanor and fined not more than $5,000'' (5 U.S.C. 552a(i)(3)). The agency's contractor and any contractors' employees who are covered by 5 U.S.C. 552a(m)(1) are considered employees of the agency for the purposes of these criminal penalties.

    CMS, therefore, does not anticipate an unfavorable effect on individual privacy as a result of the disclosure of information relating to individuals.

    Dated: August 8, 2003. Thomas A. Scully, Administrator, Centers for Medicare & Medicaid Services. System No. 09-70-1519

    SYSTEM NAME:

    ASPEN Complaints/Incidents Tracking System (ACTS).

    SECURITY CLASSIFICATION:

    Level Three Privacy Act Sensitive Data.

    SYSTEM LOCATION:

    CMS Data Center, 7500 Security Boulevard, North Building, First Floor, Baltimore, Maryland 21244-1850. Federal Servers are located at each State agency. Appendix A lists the location of each State server.

    CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

    Identifiable information will be retained in the system of records for individuals who are complainants, residents/clients, contacts/ witnesses, alleged perpetrators, survey team members, laboratory directors, and laboratory owners.

    CATEGORIES OF RECORDS IN THE SYSTEM:

    ACTS contains information related to allegations of complaints and incidents filed against Medicare, Medicaid or CLIA certified providers or suppliers. The system contains demographic and identifying data, as well as survey and deficiency data. Identifying data includes: Names, title, address, city, state, ZIP code, e-mail address, telephone numbers, fax number, licensure number, social security number, Federal tax identification number, alias names, date of birth, gender, date admitted and/or date discharged.

    ACTS maintains Federal complaint information, as well as state licensure complaint information. State licensure information is both relevant and necessary to meet CMS'' purposes. CMS uses the help of State health agencies, or other appropriate agencies, when determining whether health care entities meet Federal Medicare standards. The State survey agencies perform both Federal certification and State licensure functions, including the investigation of complaints and entity- reported incidents. The Social Security Act requires that providers/ suppliers receive licensure under applicable State and local laws. In order to encourage efficiency in State operations, ACTS permits collection of Federal and State information. ACTS allows users to distinguish between Federal information and information that is collected for State licensure purposes. ACTS supports the entry of both Federal and state licensure information, thus reflecting the actual business practices of state agencies as they track complaints and incidents. In many areas, ACTS allows entry of both types of information while still maintaining discrete records to support separate and different views, reports and statistics.

    AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

    Sections 11819(d), 1864, 1865, 1902(a)(9)(A), 1902(a)(33)(B), and 1919(d) of the Social Security Act. Section 353 of the Public Health Service Act (42 U.S.C. 263a), 42 CFR 482.13(f), 42 CFR 483.13, 42 CFR 488.7(a)(2), 42 CFR 488.332, and 42 CFR 488.335.

    PURPOSE(S):

    The primary purpose of the system of records is to track and process complaints and incidents reported against Medicare/Medicaid/ CLIA providers and suppliers, and to maintain information on laboratory directors and owners.

    ACTS provides access to survey and provider/supplier information for data-driven analysis and evaluation. This system will improve CMS's ability to monitor the performance of State Survey Agencies including analyzing program variations and more effectively managing program costs. Information retrieved from this system of records will be used to aid in the administration of the survey and certification of Medicare/Medicaid/CLIA providers and suppliers; support agencies of the State governments to determine, evaluate and assess overall effectiveness and quality of provider/supplier services provided in the State; aid in the administration of Federal and State programs within the State; support constituent requests made to a Congressional representative, support litigation involving the agency, and facilitate research on the quality and effectiveness of care provided.

    ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OR USERS AND THE PURPOSES OF SUCH USES:

    The Privacy Act allows us to disclose information without an individual's consent if the information is to be used for a purpose that is compatible with the purpose(s) for which the information was collected. We are proposing to establish the following routine use disclosures of information maintained in the system:

    1. To the Department of Justice (DOJ), court or adjudicatory body when:

      (a) The agency or any component thereof; or

      [[Page 50802]]

      (b) Any employee of the agency in his or her official capacity; or

      (c) Any employee of the agency in his or her individual capacity when the DOJ has agreed to represent the employee; or

      (d) The United States Government; is a party to litigation or has an interest in such litigation, and by careful review, CMS determines that the records are both relevant and necessary to the litigation and the use of such records by the DOJ, court or adjudicatory body is therefore deemed by the agency to be for a purpose that is compatible with the purpose for which the agency collected the records.

    2. To agency contractors, or consultants who have been engaged by the agency to assist in the performance of a service related to this system of records and who need to have access to the records in order to perform the activity.

    3. To a CMS contractor (including, but not necessarily limited to fiscal intermediaries and carriers) that assists in the administration of a CMS-administrated health benefits program, or to a grantee of a CMS-administered health benefits program, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud or abuse in such program.

    4. To a Quality Improvement Organization (QIO) in order to assist the QIO to perform Title XI and Title XVIII functions relating to assessing and improving quality of care.

    5. To the agency of a State Government, or established by State law, for purposes of determining, evaluating and/or assessing overall or aggregate cost, effectiveness, and/or the quality of services provided in the State; for developing and operating Medicaid reimbursement systems; or for the purpose of administration of Federal/ State programs within the State.

    6. To a Federal or State agency (e.g., State Medicaid agencies) to contribute to the accuracy of CMS's health insurance operations (payment, treatment and coverage) and/or to support State agencies in the evaluation and monitoring of care.

    7. To another Federal agency (e.g., Office of the Inspection General, General Accounting Office, Medicaid Fraud Control Unit) or to an instrumentality of any governmental jurisdiction within or under the control of the United States (including any State or local governmental agency) that administers, or that has the authority to investigate potential fraud or abuse in a health benefits program funded in whole or in part by Federal funds, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud or abuse in such programs.

    8. To an individual or organization for research, evaluation, or epidemiological project related to the prevention of disease or disability, the restoration or maintenance of health, or payment related projects.

    9. To a member of Congress or to a congressional staff member in response to an inquiry of the Congressional Office made at the written request of the constituent about whom the record is maintained.

    10. To a national accreditation organization that has been granted deeming authority by CMS for the purpose of improving the quality of care provided through the provision of health care accreditation and related services that support performance improvement and monitors the quality of deemed providers/suppliers through the investigation of complaints.

    11. To a Protection and Advocacy Group that provides legal representation and other advocacy services for the purposes of monitoring, investigating and attempting to remedy adverse conditions, and for responding to allegations of abuse, neglect, and violations of the rights of persons with disabilities.

    12. To another agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States (including any State or local law enforcement agencies) for a civil or criminal law enforcement activity (e.g., police, FBI, State Attorney General's office).

      POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM: STORAGE:

      All records are stored on the magnetic disk sub-system of the Windows 2000 server. Furthermore, these records are saved to magnetic tape backup on a nightly basis.

      RETRIEVABILITY:

      The Medicare, Medicaid, and CLIA records are retrieved by name of provider/supplier, Medicare provider number, ACTS Complaint number, State assigned Medicaid number, or other CMS assigned numbers, complainant's name, resident/patient's name, contact/witnesses name, alleged perpetrator's name, survey team member's name, surveyor identification number, laboratory director's name, laboratory owner's name or federal tax identification number.

      SAFEGUARDS:

      CMS has safeguards for authorized users and monitors such users to ensure against excessive or unauthorized use. Personnel having access to the system have been trained in the Privacy Act and systems security requirements. Employees who maintain records in the system are instructed not to release any data until the intended recipient agrees to implement appropriate administrative, technical, procedural, and physical safeguards sufficient to protect the confidentiality of the data and to prevent unauthorized access to the data.

      In addition, CMS has physical safeguards in place to reduce the exposure of computer equipment and thus achieve an optimum level of protection and security for the ACTS system. For computerized records, safeguards have been established in accordance with the Department Health and Human Services standards and National Institute of Standards and Technology guidelines, e.g., security codes will be used, limiting access to authorized personnel. System securities are established in accordance with HHS, Information Resource Management Circular 10, Automated Information System Security Program; CMS Automated Information Systems (AIS) Guide, Systems Securities Policies, and OMB Circular No. A-130 (revised), Appendix III.

      RETENTION AND DISPOSAL:

      CMS will retain identifiable ACTS data for a total period not to exceed 15 years.

      SYSTEM MANAGER(S) AND ADDRESS:

      Director, Finance, Systems and Budget Group, Center for Medicaid and State Operations, Centers for Medicare & Medicaid Services, 7500 Security Boulevard, Baltimore, Maryland 21244-1850.

      Director, Survey and Certification Group, Center for Medicaid and State Operations, Center for Medicaid and State Operations, 7500 Security Boulevard, Baltimore, Maryland 21244-1850.

      NOTIFICATION PROCEDURE:

      For the purpose of accessing records based on individual identifiable data, the subject individual should write to the system manager who will require the system name, Medicare provider/supplier identification number, provider/supplier's name and address, and for verification purposes the subject

      [[Page 50803]]

      individual's name, social security number (SSN) (furnishing the SSN is voluntary, but it may make searching for a record easier and prevent delay), address, date of birth and sex.

      RECORD ACCESS PROCEDURE:

      For accessing records based on individual identifiable data, use the same procedures outlined in Notification Procedures above. Requestors should also reasonably specify the record contents being sought. (These procedures are in accordance with Department regulation 45 CFR 5b.5(a)(2).)

      CONTESTING RECORD PROCEDURES:

      The subject individual should contact the system manager named above, and reasonably identify the record and specify the information to be contested. State the corrective action sought and the reasons for the correction with supporting justification. (These procedures are in accordance with Department regulation 45 CFR 5b.7).

      RECORD SOURCE CATEGORIES:

      The following forms and the ACTS software are used to collect ACTS data.

      Medicare/Medicaid/CLIA Complaint Form (CMS-562).

      Statement of Deficiencies and Plan of Correction (CMS-2567).

      Post-Certification Revisit Report (CMS-2567B).

      Survey Team Composition and Workload Report (CMS-670).

      Request for Validation of Accreditation Survey for Hospital (CMS- 2802).

      Request for Validation of Accreditation Survey for Laboratory (CMS- 2802A).

      Request for Validation of Accreditation Survey for Hospice (CMS- 2802B).

      Request for Validation of Accreditation Survey for Home Health Agency (CMS-2802C).

      Request for Validation of Accreditation Survey for Ambulatory Surgical Center (CMS-2802D).

      Request for Survey of 489.20 and 489.24 Essentials of Provider Agreements:

      Responsibilities of Medicare Participating Hospitals in Emergency Cases (CMS-1541A).

      CMS-116--CLIA Laboratory Application.

      SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:

      Waiver of 40 day waiting period.

      Appendix A Location of State Servers

      North Dakota Department of Health Resources, 600 East Boulevard Avenue, Suite 206, Bismarck, ND 58505.

      Department of Health, Facility Licensing and Certification Bureau, 2040 South Pacheco, Colgate Building 2nd Floor, Santa Fe, NM 87505.

      Utah Department of Health, M/M Program Certification, 288 North, 1460 West, Salt Lake City, UT 84114-2905.

      Department of Public Health and Human Services, Senior and Long Term Care Division, 111 Sanders Avenue, Suite 210, P.O. Box 4210, Helena, MT 59601.

      Division of Medicaid, Bureau of Facility Standards, Myers & Stauffer, 8555 West Hackamore Dr., Suite 100, Boise, ID 83709-1665.

      Rhode Island Department of Health, Three Capitol Hill, Cannon Building, Room 306, Providence, RI 02908-5097.

      State of Connecticut, Department of Public Health, 410 Capitol Avenue MS13DPR, P.O. Box 340308, Hartford, CT 06134-0308.

      Minnesota Department of Health, F&PC Division, 85 East 7th Place-Suite 300, P.O. Box 64900, St. Paul, MN 55101.

      Bureau of Quality Assurance, Department of Health and Family Services, 1 West Wilson Street, Suite 150, P.O. Box 7850, Madison, WI 53701-0309.

      Louisiana Department of Health and Hospitals, Health Standards Section, 500 Laurel Street, Suite 100, Baton Rouge, LA 70801.

      Texas Department of Human Services (TDHS), 701 West 51st Street, P.O. Box 149030, MC W-519, Austin, TX 78751.

      Alabama Department of Public Health, Division of Health Care Facilities, 201 Monroe Street, Suite 840, P.O. Box 303017, Montgomery, AL 36104-3017.

      Division of Emergency Medical Services, 570 East Woodrow Wilson Blvd., Third Floor A-300, Jackson, MS 39215.

      State of New Jersey, Department of Health and Senior Services Long Term Care. Systems Development and Quality, 120 S Stockton Street, lower level, Trenton, NJ 08625.

      Office of Health Facilities Licensing and Certification, LTC Residents Protection, Three Mill Road, Suite 308, Wilmington, DE 19806.

      Colorado Department of Public Health and Environment, Health Facilities Division, HFD-a2, 4300 Cherry Creek Drive, South, Second Floor, Denver, CO 80246-1530.

      Office of Health Quality, 2020 Carey Avenue, First Bank Building, 8th Floor, Cheyenne, WY 82002.

      Department of Health & Human Services Division of Facility Services Licensure and Certification Section, 805 Briggs Drive, Raleigh, NC 27603.

      SCDHEC, Division of Certification, 1777 Saint Julian Place, Suite 302, Columbia, SC 29204.

      Seniors and People with Disabilities, 875 Union St.--4th Fl., Salem, OR 97310.

      AASA--Division of Residential Services, 0B2 1115 North Washington, Olympia, WA 98503.

      Myers and Stauffer, 6380 Flank Drive, Suite 100, Harrisburg, PA 17112.

      DHHR, Management Information Services, 350 Capital Street, Room 206, Third Floor Computer Room, Charleston, WV 25301-3178.

      Office of Regulatory Services, Georgia Department of Human Resources, 2 Peachtree Street North West, Suite 24, Atlanta, GA 30303-3167.

      Management Information Systems, Agency for Health Care Administration, 2727 Mahan Dr, Fort Knox, Bldg 3, Room 100, MS9a, Tallahassee, FL 32308-5403.

      Illinois Department of Public Aid, Division of Medical Programs, 201 South Grand Avenue, East, Prescott Bloom Bldg. 2nd floor, Springfield, IL 62763.

      Indiana State Department of Health, 2 North Meridian Street, Indianapolis, IN 46204.

      Cabinet for Health Services Office of Inspector General, 275 East Main Street 5E-A, Frankfurt, KY 40621.

      Tennessee Department of Health, Division of Health Care Facilities, 426 5th Avenue, North, Cordell Hull Building, 1st Floor, Nashville, TN 37247-0508.

      Massachusetts Department of Public Health, Division of Health Care Quality, 10 West Street, 5th floor, Boston, MA 02111.

      Division of Licensing and Protection, 103 South Main Street, Ladd Hall room 898, Waterbury, VT 05671.

      Missouri Department of Social Services, Division of Aging, 615 Howerton Court, Jefferson City, MO 65109.

      Department of Human Services DMS/OLTC/ Reimbursement Unit, 700 Main, 4th Floor, PO Box 8059--Slot 407, Little Rock, AR 72203-8059.

      Oklahoma State Department of Health, SHS, 1000 North East 10th Street, Oklahoma City, OK 73117-1299.

      Myers & Stauffer Consulting Services, 4123 Southwest Gage Center Drive, Suite 200, Topeka, KS 66604.

      Bureau of Licensure and Certification, 1550 East College Parkway, Suite 158, Carson City, NV 89706.

      Arizona Department of Health Services, 1647 East Morten Ave., Suite 200, Phoenix, AZ 85020.

      Virginia Department of Health, 1500 East Main Street, Room 211, Main Street Station, Richmond, VA 23219.

      Department of Consumer and Regulatory Affairs, Service Facility Regulation Administration, 825 N Capitol Street NE., 2nd Floor LRA-- Room 221, Washington, DC 20002.

      Michigan Department of Community Health, 300 East Michigan, Chandler River Plaza Building, Lansing, MI 48933.

      Ohio Department of Health, 246 N. High St., 3rd Floor, Columbus, OH 43215.

      Dept of Human Services, 442 Civic Center Drive, Augusta, ME 04330.

      Department of Health and Human Services, Office of Program Support, Office of Information Systems, 129 Pleasant Street, Brown Bldg., Concord, NH 03301-3857.

      Office of Health Care Assurance, 601 Kamokila, RM 395, Kapolei, HI 96707.

      South Dakota Department of Social Services, Office of Adult Services and Aging, 700 Governors Drive, Pierre, SD 57501.

      California Department of Health Services, Licensing and Certification, 630 Bercut Dr. Suite B, Sacramento, CA 95814.

      State of Maryland, Department of Health Care Quality, 55 Wade Avenue, Spring Grove

      [[Page 50804]]

      Center, Bland Bryant Bldg., Fourth Floor, Catonsville, MD 21228.

      Department of Health and Human Services, Medicaid Division, P.O. Box 95026--301 Centennial Mall, South, 5th Floor, Lincoln, NE 68509.

      DHHS Div of Med. Assistance Heath Facilities Licensing and Certification, 4730 Business Park Boulevard, Suite 18, Anchorage, AK 99503.

      NYS Dept. of Health, Empire State Plaza, Concourse Room 148, Albany, NY 12237.

      Virgin Islands, IFMC, 6000 Westown Parkway, West Des Moines, IA 50266.

      Puerto Rico Department of Health, Assistant Secretariat for the Regulation and Accreditation of Health Facilities, Former Ruez Soler Hospital Road 2, Bayamon, PR 00959.

      [FR Doc. 03-21444 Filed 8-21-03; 8:45 am]

      BILLING CODE 4120-03-P

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT