Federal Register, Volume 78 Issue 75 (Thursday, April 18, 2013)

[Federal Register Volume 78, Number 75 (Thursday, April 18, 2013)]
[Notices]
[Pages 23313-23315]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2013-09133]


=======================================================================
-----------------------------------------------------------------------

OFFICE OF PERSONNEL MANAGEMENT


Privacy Act of 1974: New System of Records

AGENCY: U.S. Office of Personnel Management (OPM).

ACTION: Notice of amendment to system of records.

-----------------------------------------------------------------------

SUMMARY: OPM has amended an existing system of records subject to the 
Privacy Act of 1974 (5 U.S.C. 552a) to reflect the fact that the Office 
of Planning and Policy Analysis (PPA) is receiving Federal Employees 
Health Benefits Program (FEHBP) Health Claims data directly from some 
FEHBP carriers, and processing and analyzing this data within OPM. PPA 
is developing the alternative data intake process to acquire data from 
plans and/or carriers that are outside of the scope of existing OPM 
systems.

DATES: This action will be effective without further notice on May 20, 
2013 unless comments are received that would result in a contrary 
determination.

ADDRESSES: Send written comments by mail to the Office of Personnel 
Management, ATTN: Dennis Hardy, PMP, HCDW Project Manager, U. S. Office 
of Personnel Management, 1900 E Street NW., Room 2340A, Washington, DC 
20415, or by email to [email protected].

FOR FURTHER INFORMATION CONTACT: Dennis Hardy, PMP, HCDW Project 
Manager, 202-606-4281.

SUPPLEMENTARY INFORMATION: The Office of Planning and Policy Analysis, 
in cooperation with the OPM/Chief Information Officer (CIO), is 
implementing an alternate data intake and transformation infrastructure 
within the OPM environment to allow OPM to develop, process, and 
analyze this additional data in an expeditious manner. This alternate 
infrastructure, which is a scaled down version of the Health Claims 
Data Warehouse (HCDW) system, also provides a ``hot site'' disaster 
recovery capability should the primary environment be unavailable for 
data processing and/or analysis. This alternate infrastructure is 
easily scalable to support the demands of OPM. In addition to building 
the alternative data intake process, PPA will continue to receive 
carrier information from OPM's Office of Inspector General (OIG). The 
carrier data will be transmitted securely from the physically secured 
servers managed by OIG to the secure data intake infrastructure managed 
by OPM's OCIO. In total, PPA will be receiving data from nine plans 
and/or carriers. This action is necessary to meet the requirements of 
the Privacy Act to publish in the Federal Register notice of the 
existence and character of records maintained by the Agency (5 U.S.C. 
552a(e)(4)). OPM first published a system of records notice pertaining 
to the Health Claims Data Warehouse on October 5, 2010, with the 
comment period closing November 15, 2010. On November 15, 2010, OPM 
extended the comment period to December 15, 2010, and indicated its 
intent to modify certain aspects of the system of records notice. On 
December 15, 2010, OPM published a notice closing the comment period. 
Based on the comments received during the comment period, OPM issued a 
revised notice that, among other things, limited the scope of the 
system to information pertaining to FEHBP, significantly narrowed the 
circumstances under which routine use disclosures will be made from the 
system, clarified that only de-identified data will be released outside 
of OPM, provided greater detail regarding OPM authorities for 
maintaining the system, and further described systems security measures 
that will be taken to protect the records.
    The purpose of this system of records is to provide a central 
database from which OPM may analyze costs and utilization of services 
associated with FEHBP to ensure the best value for both enrollees and 
taxpayers. OPM collects, manages, and analyzes health services data 
that health insurers and administrators provide through secure data 
transfer for the program. OPM's analysis of the data includes the cost 
of care, utilization of services, and quality of care for specific 
population groups, geographic areas, health plans, health care 
providers, disease conditions, and

[[Page 23314]]

other relevant categories. The information contained in the database 
assists in improving the effectiveness and efficiency of care delivered 
by health care providers to the enrollees by facilitating robust 
contract negotiations, health plan accountability, performance 
management, and program evaluation. OPM uses identifiable data to 
create person-level longitudinal records, which are long-term health 
records that allow us to examine individual health information over 
time. Access to personally identifiable information is highly 
restricted to personnel needed to create person-level longitudinal 
records and to select OPM analysts using the database for analytical 
purposes.

Office of Personnel Management.
John Berry,
Director.
OPM CENTRAL--15

SYSTEM NAME:
    Health Claims Data Warehouse (HCDW).

SYSTEM LOCATION:
    Office of Personnel Management, 1900 E Street NW., Washington, DC 
20415.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    This system contains records on the Federal Employees Health 
Benefits Program (FEHBP). The FEHBP includes Federal employees, Postal 
employees, uniformed service members, retirees, and their family 
members who voluntarily participate in the Program.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records in the system may contain the following types of 
information on participating enrollees and covered dependents:
    a. Name, social security number, date of birth, gender.
    b. Home address.
    c. Covered dependent information (spouse, dependents)--name, social 
security number, date of birth, gender.
    d. Enrollee's employing agency.
    e. Name of health care provider.
    f. Health care provider address.
    g. Health care provider taxpayer identification number (TIN) or 
carrier identifier.
    h. Health care coverage information regarding benefit coverage for 
the plan in which the person is enrolled.
    i. Health care procedures performed on the individual in the form 
of ICD, CPT and other appropriate codes.
    j. Health care diagnoses in the form of ICD codes, and treatments, 
including prescribed drugs, derived from clinical medical records.
    k. Provider charges, amounts paid by the plan and amounts paid by 
the enrollee for the above coverage, procedures, and diagnoses.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Authority for requiring FEHBP carriers to allow OPM access to 
records and for requiring reports, as well as authority for OPM's 
maintenance of FEHBP health claims information, is provided by 5 U.S.C. 
8901, et seq. In particular, section 8910 states, in relevant part: 
``(a) The Office of Personnel Management shall make a continuing study 
of the operation and administration of this chapter, including surveys 
and reports on health benefit plans available to employees and on the 
experience of the plans. (b) Each contract entered into under section 
8902 of this title shall contain provisions requiring carriers to--(1) 
furnish such reasonable reports as the Office determines to be 
necessary to enable it to carry out its functions under this chapter; 
and (2) permit the Office and representatives of the Government 
Accountability Office to examine records of the carriers as may be 
necessary to carry out the purposes of this chapter.'' As explained in 
greater detail in the ``Purpose'' section below, OPM uses the 
information collected in this system to assist in its administration 
of, and in carrying out its functions under 5 U.S.C. chapter 89.

PURPOSE:
    The primary purpose of this system of records is to provide a 
central database from which OPM may analyze the FEHBP to support the 
management of the program to ensure the best value for the enrollees 
and taxpayers. OPM collects, manages, and analyzes health services data 
provided by health insurers and administrators through secure data 
transfer. OPM analyzes the data in order to evaluate the cost of care, 
utilization of services, and quality of care for specific population 
groups, geographic areas, health plans, health care providers, disease 
conditions, and other relevant categories. Information contained in the 
database assists in improving the effectiveness and efficiency of care 
delivered by health care providers to the enrollees by facilitating 
robust contract negotiations, health plan accountability, performance 
management, and program evaluation. OPM uses identifiable data to 
create person-level longitudinal records. Access to PII is restricted 
to personnel needed to create person-level longitudinal records and to 
select OPM analysts using the database for the analytical purposes 
described in this notice. Only de-identified data will be released by 
OPM externally for all other research and analysis purposes.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    1. To disclose FEHBP data to analysts inside and outside the 
Federal Government for the purpose of conducting analysis of health 
care and health insurance trends and topical health-related issues 
compatible with the purposes for which the records were collected and 
formulating health care program changes and enhancements to limit cost 
growth, improve outcomes, increase accountability, and improve 
efficiency in program administration. In all disclosures to analysts 
external to OPM under this routine use, only de-identified data will be 
disclosed. A public use file that will be maintained will only contain 
de-identified data and will be structured, where appropriate, to 
protect enrollee confidentiality where identities may be discerned 
because there are fewer records under certain demographic or other 
variables.

POLICIES AND PRACTICES OF STORING, RETRIEVING, SAFEGUARDING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    These records are maintained in electronic systems.

RETRIEVABILITY:
    These records are retrieved by a unique identifier that will be 
based on identifying information (primarily name and social security 
number) of the individual.

SAFEGUARDS:
    The Health Claims Data Warehouse (HCDW), to include the new 
alternate data intake and transformation infrastructure, is operated 
within the OPM environment. All employees who have a need to access the 
information are required to have an appropriate background 
investigation consistent with the risk and sensitivity designation of 
that position. The investigation must be favorably adjudicated before 
they are allowed physical access to OPM and access to the HCDW system. 
Employees of contractors are required to have an appropriate background 
investigation consistent with the credentialing policy of the agency 
and/or the terms of the underlying contract. Again, the investigation 
must be favorably adjudicated before they are allowed physical access 
to OPM and access to the HCDW system. The OPM environment is equipped 
with electronic badge readers restricting

[[Page 23315]]

access to authorized personnel only and has safeguards in place to 
alert security personnel if unauthorized personnel attempt to gain 
access to OPM's environment. OPM employs armed physical security guards 
365 days a year, 24 hours a day that patrol OPM headquarters, to 
include entry and exit points. Computer firewalls are maintained to 
prevent access by unauthorized personnel. The HCDW employs National 
Institute of Standards and Technology (NIST) Physical and Environmental 
Security Controls identified in Special Publication SP 800-53 revision 
3. The HCDW will perform a Security Assessment and Authorization (SA&A) 
following the NIST 800-53 rev 3 standard in order to obtain an 
Authority to Operate (ATO). Users within the Office of Planning and 
Policy Analysis (PPA) use the system to perform cost and quality 
analysis for health care plans. Two sub-groups of PPA users have been 
identified in the system, those who are permitted to view PII and those 
who are not. HCDW employs role based access controls (RBAC) to further 
restrict access to data contained within HCDW based on users' roles. 
The data warehouse is fully compliant with all applicable provisions of 
the Privacy Act, Health Insurance Portability and Accountability Act 
(HIPAA) as an oversight agency, Federal Information Security Management 
Act (FISMA), Records Act and National Institute of Standards and 
Technology (NIST) guidance.

RETENTION AND DISPOSAL:
    The records in this system are retained for 7 years. Computer 
records will be destroyed by electronic erasure. The system has been 
approved by NARA to maintain a 7-year record retention.

SYSTEM MANAGERS AND ADDRESSES:
    The system manager is Dennis Hardy, PMP, HCDW Project Manager, U. 
S. Office of Personnel Management, 1900 E Street NW., Room 2340A, 
Washington, DC 20415, 202-606-4281.

NOTIFICATION AND RECORD ACCESS PROCEDURE:
    Individuals wishing to determine whether this system of records 
contains information about them may do so by writing to the U.S. Office 
of Personnel Management, FOIA/PA Requester Service Center, 1900 E 
Street NW., Room 5415, Washington, DC 20415-7900 or by emailing 
[email protected]. Individuals must furnish the following information for 
their records to be located:
    1. Full name.
    2. Date and place of birth.
    3. Social security number.
    4. Signature.
    5. Available information regarding the type of information 
requested.
    6. The reason why the individual believes this system contains 
information about him/her.
    7. The address to which the information should be sent.
    Individuals requesting access must also comply with OPM's Privacy 
Act regulations regarding verification of identity and access to 
records (5 CFR 297).

CONTESTING RECORD PROCEDURE:
    Individuals wishing to request amendment of records about them 
should write to the Office of Personnel Management, FOIA/PA Requester 
Service Center, 1900 E Street NW., Room 5415, Washington, DC 20415-
7900. ATTN: Planning and Policy Analysis.
    Individuals must furnish the following information in writing for 
their records to be located:
    1. Full name.
    2. Date and place of birth.
    3. Social Security Number.
    4. City, state, and zip code of their Federal Agency.
    5. Signature.
    6. Precise identification of the information to be amended.
    Individuals requesting amendment must also follow OPM's Privacy Act 
regulations regarding verification of identity and amendment to records 
(5 CFR 297).

RECORD SOURCE CATEGORIES:
    OPM, which has the authority to obtain this information from health 
care insurers and administrators contracted by OPM to manage the FEHBP, 
will obtain the FEHBP records from health care insurers and 
administrators. OPM's OIG also maintains the FEHBP records in a 
separate system of records under its own authorities.

SYSTEM EXEMPTIONS:
    None.

[FR Doc. 2013-09133 Filed 4-17-13; 8:45 am]
BILLING CODE 6325-63-P