[Federal Register Volume 76, Number 115 (Wednesday, June 15, 2011)]
[Notices]
[Pages 35050-35052]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-14839]


=======================================================================
-----------------------------------------------------------------------

OFFICE OF PERSONNEL MANAGEMENT


Privacy Act of 1974: New System of Records

AGENCY: U.S. Office of Personnel Management (OPM).

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: OPM proposes to add OPM/Central-15, Health Claims Data 
Warehouse, to its inventory of records systems subject to the Privacy 
Act of 1974 (5 U.S.C. 552a), as amended. This action is necessary to 
meet the requirements of the Privacy Act to publish in the Federal 
Register notice of the existence and character of records maintained by 
the agency. 5 U.S.C. 552a(e)(4). OPM first published a system of 
records notice pertaining to the Health Claims Data Warehouse on 
October 5, 2010 with the comment period closing November 15, 2010. On 
November 15, 2010, OPM extended the comment period to December 15, 2010 
and indicated its intent to modify certain aspects of the system of 
records notice. On December 15, 2010, OPM published a notice closing 
the comment period. Based on the comments received during the comment 
period, OPM issues this revised notice that, among other things: limits 
the scope of the system to information pertaining to the Federal 
Employees Health Benefits Program; significantly narrows the 
circumstances under which routine use disclosures will be made from the 
system; clarifies that only de-identified data will be released outside 
of OPM; provides greater detail regarding OPM authorities for 
maintaining the system; and further describes systems security measures 
that will be taken to protect the records.

DATES: This action will be effective without further notice on July 15, 
2011 unless comments are received that would result in a contrary 
determination.

ADDRESSES: Send written comments to the Office of Personnel Management, 
ATTN: Gary A. Lukowski, PhD, Manager, Data Analysis, U.S. Office of 
Personnel Management, 1900 E Street, NW., Room 7439, Washington, DC 
20415 or to gary.lukowski@opm.gov.

FOR FURTHER INFORMATION CONTACT: Gary A. Lukowski, PhD, Manager, Data 
Analysis, 202-606-1449.

SUPPLEMENTARY INFORMATION: The purpose of this system of records is to 
provide a central database from which OPM may analyze costs and 
utilization of services associated with the Federal Employees Health 
Benefits Program to ensure the best value for both enrollees and 
taxpayers. OPM will collect, manage, and analyze health services data 
that health insurers and administrators will provide through secure 
data transfer for the program. OPM's analyses of the data will include: 
The cost of care; utilization of services; and quality of care for 
specific population groups, geographic areas, health plans, health care 
providers, disease conditions, and other relevant categories. The 
information contained in the database will assist in improving the 
effectiveness and efficiency of care delivered by health care providers 
to the enrollees by facilitating robust contract negotiations, health 
plan accountability, performance management, and program evaluation. 
OPM will use identifiable data to create person-level longitudinal 
records, which are long-term health records that will allow us to 
examine individual health information over time. However, OPM analysts 
using the database for analysis purposes will only have access to de-
identified data. Likewise, only de-identified data will be supplied to 
external analysts.
    Information on enrollees in the Pre-Existing Condition Insurance 
Plan (PCIP) had been proposed to be included in this database. However, 
OPM and HHS have determined that it is unnecessary to include claims 
from the Federally-run PCIP in this System of Records. In its role 
administering the program as a whole, HHS intends to collect de-
identified claims level data on the program. Because OPM manages the 
day-to-day operation of the Federally-run PCIP pursuant to an agreement 
with HHS under the Economy Act, 31 U.S.C. 1535, HHS intends to make 
these de-identified data available to OPM for monitoring and oversight 
activities. Additionally, the original notice proposed including in 
this database information on enrollees in the OPM-regulated Multi-State 
Plans (MSP) which will appear on state exchanges beginning January 1, 
2014. OPM has determined that it is premature to establish a System of 
Records for a program that will not become operational until 2014.

    U.S. Office of Personnel Management.
John Berry,
Director.
OPM CENTRAL-15

SYSTEM NAME:
    Health Claims Data Warehouse (HCDW).

SYSTEM LOCATION:
    Office of Personnel Management, 1900 E Street, NW., Washington, DC 
20415.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    This system will contain records on the Federal Employees Health 
Benefits Program (FEHBP. The FEHBP includes Federal employees, Postal 
employees, uniformed service members, retirees, and their family 
members who voluntarily participate in the Program.

[[Page 35051]]

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records in the system may contain the following types of 
information on participating enrollees and covered dependents:
    a. Name, social security number, date of birth, gender.
    b. Home address.
    c. Covered dependent information (spouse, dependents)--name, social 
security number, date of birth, gender.
    d. Enrollee's employing agency.
    e. Name of health care provider.
    f. Health care provider address.
    g. Health care provider taxpayer identification number (TIN) or 
carrier identifier.
    h. Health care coverage information regarding benefit coverage for 
the plan in which the person is enrolled.
    i. Health care procedures performed on the individual in the form 
of ICD, CPT and other appropriate codes.
    j. Health care diagnoses in the form of ICD codes, and treatments, 
including prescribed drugs, derived from clinical medical records.
    k. Provider charges, amounts paid by the plan and amounts paid by 
the enrollee for the above coverage, procedures, and diagnoses.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Authority for requiring FEHBP carriers to allow OPM access to 
records and for requiring reports, as well as authority for OPM's 
maintenance of FEHBP health claims information, is provided by 5 U.S.C. 
8901, et seq. Section 8910 of title 5 United States Code states, in 
relevant part: ``(a) The Office of Personnel Management shall make a 
continuing study of the operation and administration of this chapter, 
including surveys and reports on health benefit plans available to 
employees and on the experience of the plans. (b) Each contract entered 
into under section 8902 of this title shall contain provisions 
requiring carriers to--(1) furnish such reasonable reports as the 
Office determines to be necessary to enable it to carry out its 
functions under this chapter; and (2) permit the Office and 
representatives of the Government Accountability Office to examine 
records of the carriers as may be necessary to carry out the purposes 
of this chapter.'' As explained in greater detail in the ``Purpose'' 
section below, OPM plans to use the information collected in this 
system to assist in its administration of, and in carrying out its 
functions under 5 U.S.C. chapter 89.

PURPOSE:
    The primary purpose of this system of records is to provide a 
central database from which OPM may analyze the FEHBP to support the 
management of the program to ensure the best value for the enrollees 
and taxpayers. OPM will collect, manage, and analyze health services 
data provided by health insurers and administrators through secure data 
transfer. OPM will analyze the data in order to evaluate: The cost of 
care; utilization of services; and quality of care for specific 
population groups, geographic areas, health plans, health care 
providers, disease conditions, and other relevant categories. 
Information contained in the database will assist in improving the 
effectiveness and efficiency of care delivered by health care providers 
to the enrollees by facilitating robust contract negotiations, health 
plan accountability, performance management, and program evaluation. 
OPM will use identifiable data to create person-level longitudinal 
records. However, OPM analysts using the database for analysis purposes 
will only have access to de-identified data. Only de-identified data 
will be released for all analysis purposes.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    1. To disclose FEHBP data to analysts inside and outside the 
Federal Government for the purpose of conducting analysis of health 
care and health insurance trends and topical health-related issues 
compatible with the purposes for which the records were collected and 
formulating health care program changes and enhancements to limit cost 
growth, improve outcomes, increase accountability, and improve 
efficiency in program administration. In all cases, analysts external 
to OPM will access a public use file that will be maintained for such 
purposes; will only contain de-identified data; and will be structured, 
where appropriate, to protect enrollee confidentiality where identities 
may be discerned because there are fewer records under certain 
demographic or other variables. In all disclosures to analysts under 
this routine use, only de-identified data will be disclosed.

POLICIES AND PRACTICES OF STORING, RETRIEVING, SAFEGUARDING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    These records will be maintained in electronic systems.

RETRIEVABILITY:
    These records are retrieved by a unique identifier that will be 
based on identifying information (primarily name and social security 
number) of the individual.

SAFEGUARDS:
    OPM's Planning and Policy Analysis (PPA) Office will maintain HCDW 
within secured offices at OPM Headquarters. All employees and 
contractors are required to have an appropriate background 
investigation before they are allowed physical access to OPM and access 
to the HCDW system. The secured space is equipped with an electronic 
badge reader restricting access to authorized personnel only and has 
alarms to alert security personnel if unauthorized personnel are in the 
spaces. OPM employs armed physical security guards 365 days a year, 24 
hours a day that patrol OPM Headquarters, to include every entry/exit 
point. Video cameras are strategically located on every floor and 
external to the facility. The HCDW will physically reside on the 
servers managed by OPM's Office of Inspector General (OIG), but PPA 
personnel will have sole control and responsibility for the operation, 
maintenance, access, and security of the HCDW. Computer firewalls are 
maintained in the HCDW to prevent access by unauthorized personnel. The 
HCDW employs National Institute of Standards and Technology (NIST) 
Security Controls identified in the most recent version of Special 
Publication SP 800-53. NIST 800-53 security controls are the 
management, operational, and technical safeguards or countermeasures 
employed within an organizational information system to protect the 
confidentiality, integrity, and availability of the system and its 
information. The HCDW will perform Authorization and Assessment 
following the NIST 800-53 standard in order to obtain an Authority to 
Operate (ATO). The HCDW will employ role based access controls to 
further restrict access to data contained within HCDW and its virtual 
servers based on the functions that users are authorized to perform. 
The data warehouse will be fully compliant with all applicable 
provisions of the Privacy Act, Health Insurance Portability and 
Accountability Act (HIPAA), Federal Information Security Management Act 
(FISMA), Records Act, Office of Management and Budget (OMB) guidance, 
and NIST guidance. As also explained below under ``Record Source 
Categories,'' the PPA receives the data from the OIG, which collects it 
from contract service providers (health plans) carrying out the 
program. The data is reviewed by the OIG for accuracy and adjusted to 
ensure a common format. Once data is adjusted into a common format it 
is then routed to the HCDW

[[Page 35052]]

where longitudinal records are produced and the data is stripped of 
identifiers for analytic purposes. The PPA has determined that first 
running the data through OPM OIG's data processing environment will 
result in significant cost and efficiency savings because the OPM OIG 
has already developed, tested, and established technical protocols 
which will ensure that the records are put into a common technical 
format and checked for accuracy. A database administrator employed by 
PPA will handle the FEHBP data at this processing phase. The OPM OIG 
systems that will process the data will also be fully compliant with 
all applicable provisions of the Privacy Act, Federal Information 
Security Management Act (FISMA), and NIST guidance.

RETENTION AND DISPOSAL:
    The records in this system will be retained for 7 years. Computer 
records will be destroyed by electronic erasure. A records retention 
schedule is currently being established with NARA.

SYSTEM MANAGERS AND ADDRESSES:
    The system manager is Gary A. Lukowski, PhD, Manager, Data 
Analysis, U. S. Office of Personnel Management, 1900 E Street, NW., 
Room 7439, Washington, DC 20415, 202-606-1449.

NOTIFICATION AND RECORD ACCESS PROCEDURE:
    Individuals wishing to determine whether this system of records 
contains information about them may do so by writing to the U.S. Office 
of Personnel Management, FOIA/PA Requester Service Center, 1900 E 
Street, NW., Room 5415, Washington, DC 20415-7900 or by e-mailing 
foia@opm.gov.
    Individuals must furnish the following information for their 
records to be located:
    1. Full name.
    2. Date and place of birth.
    3. Social security number.
    4. Signature.
    5. Available information regarding the type of information 
requested.
    6. The reason why the individual believes this system contains 
information about him/her.
    7. The address to which the information should be sent.
    Individuals requesting access must also comply with OPM's Privacy 
Act regulations regarding verification of identity and access to 
records (5 CFR 297).

CONTESTING RECORD PROCEDURE:
    Individuals wishing to request amendment of records about them 
should write to the Office of Personnel Management, FOIA/PA Requester 
Service Center, 1900 E Street, NW., Room 5415, Washington, DC 20415-
7900. ATTN: Planning and Policy Analysis.
    Individuals must furnish the following information in writing for 
their records to be located:
    1. Full name.
    2. Date and place of birth.
    3. Social Security Number.
    4. City, state, and zip code of their Federal Agency.
    5. Signature.
    6. Precise identification of the information to be amended.
    Individuals requesting amendment must also follow OPM's Privacy Act 
regulations regarding verification of identity and amendment to records 
(5 CFR 297).

RECORD SOURCE CATEGORIES:
    OPM, which has the authority to obtain this information from health 
care insurers and administrators contracted by OPM to manage the FEHBP, 
will obtain the FEHBP records from health care insurers and 
administrators. The information will first be received by OPM's OIG, 
which will then process the data and provide it to PPA under an MOU 
between PPA and OIG. OPM's OIG will also maintain the FEHBP records in 
a separate system of records under its own authorities. OPM has 
determined that first running the records through technical protocols 
developed and established by the OIG will be more efficient, secure, 
and cost effective because the records will already have been checked 
for accuracy and adjusted to ensure a common format using a well tested 
process.

SYSTEM EXEMPTIONS:
    None.

[FR Doc. 2011-14839 Filed 6-14-11; 8:45 am]
BILLING CODE 6325-46-P