[Federal Register Volume 76, Number 115 (Wednesday, June 15, 2011)]
[Notices]
[Pages 35050-35052]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-14839]
=======================================================================
-----------------------------------------------------------------------
OFFICE OF PERSONNEL MANAGEMENT
Privacy Act of 1974: New System of Records
AGENCY: U.S. Office of Personnel Management (OPM).
ACTION: Notice of a new system of records.
-----------------------------------------------------------------------
SUMMARY: OPM proposes to add OPM/Central-15, Health Claims Data
Warehouse, to its inventory of records systems subject to the Privacy
Act of 1974 (5 U.S.C. 552a), as amended. This action is necessary to
meet the requirements of the Privacy Act to publish in the Federal
Register notice of the existence and character of records maintained by
the agency. 5 U.S.C. 552a(e)(4). OPM first published a system of
records notice pertaining to the Health Claims Data Warehouse on
October 5, 2010 with the comment period closing November 15, 2010. On
November 15, 2010, OPM extended the comment period to December 15, 2010
and indicated its intent to modify certain aspects of the system of
records notice. On December 15, 2010, OPM published a notice closing
the comment period. Based on the comments received during the comment
period, OPM issues this revised notice that, among other things: limits
the scope of the system to information pertaining to the Federal
Employees Health Benefits Program; significantly narrows the
circumstances under which routine use disclosures will be made from the
system; clarifies that only de-identified data will be released outside
of OPM; provides greater detail regarding OPM authorities for
maintaining the system; and further describes systems security measures
that will be taken to protect the records.
DATES: This action will be effective without further notice on July 15,
2011 unless comments are received that would result in a contrary
determination.
ADDRESSES: Send written comments to the Office of Personnel Management,
ATTN: Gary A. Lukowski, PhD, Manager, Data Analysis, U.S. Office of
Personnel Management, 1900 E Street, NW., Room 7439, Washington, DC
20415 or to gary.lukowski@opm.gov.
FOR FURTHER INFORMATION CONTACT: Gary A. Lukowski, PhD, Manager, Data
Analysis, 202-606-1449.
SUPPLEMENTARY INFORMATION: The purpose of this system of records is to
provide a central database from which OPM may analyze costs and
utilization of services associated with the Federal Employees Health
Benefits Program to ensure the best value for both enrollees and
taxpayers. OPM will collect, manage, and analyze health services data
that health insurers and administrators will provide through secure
data transfer for the program. OPM's analyses of the data will include:
The cost of care; utilization of services; and quality of care for
specific population groups, geographic areas, health plans, health care
providers, disease conditions, and other relevant categories. The
information contained in the database will assist in improving the
effectiveness and efficiency of care delivered by health care providers
to the enrollees by facilitating robust contract negotiations, health
plan accountability, performance management, and program evaluation.
OPM will use identifiable data to create person-level longitudinal
records, which are long-term health records that will allow us to
examine individual health information over time. However, OPM analysts
using the database for analysis purposes will only have access to de-
identified data. Likewise, only de-identified data will be supplied to
external analysts.
Information on enrollees in the Pre-Existing Condition Insurance
Plan (PCIP) had been proposed to be included in this database. However,
OPM and HHS have determined that it is unnecessary to include claims
from the Federally-run PCIP in this System of Records. In its role
administering the program as a whole, HHS intends to collect de-
identified claims level data on the program. Because OPM manages the
day-to-day operation of the Federally-run PCIP pursuant to an agreement
with HHS under the Economy Act, 31 U.S.C. 1535, HHS intends to make
these de-identified data available to OPM for monitoring and oversight
activities. Additionally, the original notice proposed including in
this database information on enrollees in the OPM-regulated Multi-State
Plans (MSP) which will appear on state exchanges beginning January 1,
2014. OPM has determined that it is premature to establish a System of
Records for a program that will not become operational until 2014.
U.S. Office of Personnel Management.
John Berry,
Director.
OPM CENTRAL-15
SYSTEM NAME:
Health Claims Data Warehouse (HCDW).
SYSTEM LOCATION:
Office of Personnel Management, 1900 E Street, NW., Washington, DC
20415.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
This system will contain records on the Federal Employees Health
Benefits Program (FEHBP. The FEHBP includes Federal employees, Postal
employees, uniformed service members, retirees, and their family
members who voluntarily participate in the Program.
[[Page 35051]]
CATEGORIES OF RECORDS IN THE SYSTEM:
The records in the system may contain the following types of
information on participating enrollees and covered dependents:
a. Name, social security number, date of birth, gender.
b. Home address.
c. Covered dependent information (spouse, dependents)--name, social
security number, date of birth, gender.
d. Enrollee's employing agency.
e. Name of health care provider.
f. Health care provider address.
g. Health care provider taxpayer identification number (TIN) or
carrier identifier.
h. Health care coverage information regarding benefit coverage for
the plan in which the person is enrolled.
i. Health care procedures performed on the individual in the form
of ICD, CPT and other appropriate codes.
j. Health care diagnoses in the form of ICD codes, and treatments,
including prescribed drugs, derived from clinical medical records.
k. Provider charges, amounts paid by the plan and amounts paid by
the enrollee for the above coverage, procedures, and diagnoses.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Authority for requiring FEHBP carriers to allow OPM access to
records and for requiring reports, as well as authority for OPM's
maintenance of FEHBP health claims information, is provided by 5 U.S.C.
8901, et seq. Section 8910 of title 5 United States Code states, in
relevant part: ``(a) The Office of Personnel Management shall make a
continuing study of the operation and administration of this chapter,
including surveys and reports on health benefit plans available to
employees and on the experience of the plans. (b) Each contract entered
into under section 8902 of this title shall contain provisions
requiring carriers to--(1) furnish such reasonable reports as the
Office determines to be necessary to enable it to carry out its
functions under this chapter; and (2) permit the Office and
representatives of the Government Accountability Office to examine
records of the carriers as may be necessary to carry out the purposes
of this chapter.'' As explained in greater detail in the ``Purpose''
section below, OPM plans to use the information collected in this
system to assist in its administration of, and in carrying out its
functions under 5 U.S.C. chapter 89.
PURPOSE:
The primary purpose of this system of records is to provide a
central database from which OPM may analyze the FEHBP to support the
management of the program to ensure the best value for the enrollees
and taxpayers. OPM will collect, manage, and analyze health services
data provided by health insurers and administrators through secure data
transfer. OPM will analyze the data in order to evaluate: The cost of
care; utilization of services; and quality of care for specific
population groups, geographic areas, health plans, health care
providers, disease conditions, and other relevant categories.
Information contained in the database will assist in improving the
effectiveness and efficiency of care delivered by health care providers
to the enrollees by facilitating robust contract negotiations, health
plan accountability, performance management, and program evaluation.
OPM will use identifiable data to create person-level longitudinal
records. However, OPM analysts using the database for analysis purposes
will only have access to de-identified data. Only de-identified data
will be released for all analysis purposes.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND THE PURPOSES OF SUCH USES:
1. To disclose FEHBP data to analysts inside and outside the
Federal Government for the purpose of conducting analysis of health
care and health insurance trends and topical health-related issues
compatible with the purposes for which the records were collected and
formulating health care program changes and enhancements to limit cost
growth, improve outcomes, increase accountability, and improve
efficiency in program administration. In all cases, analysts external
to OPM will access a public use file that will be maintained for such
purposes; will only contain de-identified data; and will be structured,
where appropriate, to protect enrollee confidentiality where identities
may be discerned because there are fewer records under certain
demographic or other variables. In all disclosures to analysts under
this routine use, only de-identified data will be disclosed.
POLICIES AND PRACTICES OF STORING, RETRIEVING, SAFEGUARDING, RETAINING,
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
These records will be maintained in electronic systems.
RETRIEVABILITY:
These records are retrieved by a unique identifier that will be
based on identifying information (primarily name and social security
number) of the individual.
SAFEGUARDS:
OPM's Planning and Policy Analysis (PPA) Office will maintain HCDW
within secured offices at OPM Headquarters. All employees and
contractors are required to have an appropriate background
investigation before they are allowed physical access to OPM and access
to the HCDW system. The secured space is equipped with an electronic
badge reader restricting access to authorized personnel only and has
alarms to alert security personnel if unauthorized personnel are in the
spaces. OPM employs armed physical security guards 365 days a year, 24
hours a day that patrol OPM Headquarters, to include every entry/exit
point. Video cameras are strategically located on every floor and
external to the facility. The HCDW will physically reside on the
servers managed by OPM's Office of Inspector General (OIG), but PPA
personnel will have sole control and responsibility for the operation,
maintenance, access, and security of the HCDW. Computer firewalls are
maintained in the HCDW to prevent access by unauthorized personnel. The
HCDW employs National Institute of Standards and Technology (NIST)
Security Controls identified in the most recent version of Special
Publication SP 800-53. NIST 800-53 security controls are the
management, operational, and technical safeguards or countermeasures
employed within an organizational information system to protect the
confidentiality, integrity, and availability of the system and its
information. The HCDW will perform Authorization and Assessment
following the NIST 800-53 standard in order to obtain an Authority to
Operate (ATO). The HCDW will employ role based access controls to
further restrict access to data contained within HCDW and its virtual
servers based on the functions that users are authorized to perform.
The data warehouse will be fully compliant with all applicable
provisions of the Privacy Act, Health Insurance Portability and
Accountability Act (HIPAA), Federal Information Security Management Act
(FISMA), Records Act, Office of Management and Budget (OMB) guidance,
and NIST guidance. As also explained below under ``Record Source
Categories,'' the PPA receives the data from the OIG, which collects it
from contract service providers (health plans) carrying out the
program. The data is reviewed by the OIG for accuracy and adjusted to
ensure a common format. Once data is adjusted into a common format it
is then routed to the HCDW
[[Page 35052]]
where longitudinal records are produced and the data is stripped of
identifiers for analytic purposes. The PPA has determined that first
running the data through OPM OIG's data processing environment will
result in significant cost and efficiency savings because the OPM OIG
has already developed, tested, and established technical protocols
which will ensure that the records are put into a common technical
format and checked for accuracy. A database administrator employed by
PPA will handle the FEHBP data at this processing phase. The OPM OIG
systems that will process the data will also be fully compliant with
all applicable provisions of the Privacy Act, Federal Information
Security Management Act (FISMA), and NIST guidance.
RETENTION AND DISPOSAL:
The records in this system will be retained for 7 years. Computer
records will be destroyed by electronic erasure. A records retention
schedule is currently being established with NARA.
SYSTEM MANAGERS AND ADDRESSES:
The system manager is Gary A. Lukowski, PhD, Manager, Data
Analysis, U. S. Office of Personnel Management, 1900 E Street, NW.,
Room 7439, Washington, DC 20415, 202-606-1449.
NOTIFICATION AND RECORD ACCESS PROCEDURE:
Individuals wishing to determine whether this system of records
contains information about them may do so by writing to the U.S. Office
of Personnel Management, FOIA/PA Requester Service Center, 1900 E
Street, NW., Room 5415, Washington, DC 20415-7900 or by e-mailing
foia@opm.gov.
Individuals must furnish the following information for their
records to be located:
1. Full name.
2. Date and place of birth.
3. Social security number.
4. Signature.
5. Available information regarding the type of information
requested.
6. The reason why the individual believes this system contains
information about him/her.
7. The address to which the information should be sent.
Individuals requesting access must also comply with OPM's Privacy
Act regulations regarding verification of identity and access to
records (5 CFR 297).
CONTESTING RECORD PROCEDURE:
Individuals wishing to request amendment of records about them
should write to the Office of Personnel Management, FOIA/PA Requester
Service Center, 1900 E Street, NW., Room 5415, Washington, DC 20415-
7900. ATTN: Planning and Policy Analysis.
Individuals must furnish the following information in writing for
their records to be located:
1. Full name.
2. Date and place of birth.
3. Social Security Number.
4. City, state, and zip code of their Federal Agency.
5. Signature.
6. Precise identification of the information to be amended.
Individuals requesting amendment must also follow OPM's Privacy Act
regulations regarding verification of identity and amendment to records
(5 CFR 297).
RECORD SOURCE CATEGORIES:
OPM, which has the authority to obtain this information from health
care insurers and administrators contracted by OPM to manage the FEHBP,
will obtain the FEHBP records from health care insurers and
administrators. The information will first be received by OPM's OIG,
which will then process the data and provide it to PPA under an MOU
between PPA and OIG. OPM's OIG will also maintain the FEHBP records in
a separate system of records under its own authorities. OPM has
determined that first running the records through technical protocols
developed and established by the OIG will be more efficient, secure,
and cost effective because the records will already have been checked
for accuracy and adjusted to ensure a common format using a well tested
process.
SYSTEM EXEMPTIONS:
None.
[FR Doc. 2011-14839 Filed 6-14-11; 8:45 am]
BILLING CODE 6325-46-P