Federal Register, Volume 78 Issue 105 (Friday, May 31, 2013)

[Federal Register Volume 78, Number 105 (Friday, May 31, 2013)]
[Notices]
[Pages 32654-32657]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2013-12671]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Agency for Healthcare Research and Quality


Privacy Act of 1974; System of Records Notice

AGENCY: Agency for Healthcare Research and Quality (AHRQ), Department 
of Health and Human Services (HHS).

ACTION: Notice to establish a new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 1974 
(5 USC 552a), the Agency for Healthcare Research and Quality (AHRQ) 
within the Department of Health and Human Services is establishing a 
new system of records, ``Online Application Ordering for Products from 
the Healthcare Cost and Utilization Project (HCUP).'' This online 
electronic ordering system will streamline and facilitate the 
dissemination of HCUP databases and software to qualified researchers 
and result in a more efficient process for both the public and the 
Agency. The HCUP program and the system of records for the online 
application ordering process are more thoroughly described in the 
Supplementary Information section and System of Records Notice (SORN), 
below.

DATES: Effective 30 days after publication. HHS/AHRQ may publish an 
amended System of Records Notice (SORN) in light of any comments 
received.

ADDRESSES: Written comments should be sent to: HCUP Project Officer, 
Agency for Healthcare Research and Quality, 540 Gaither Rd., Rockville, 
MD 20852 OR to Email: [email protected].

FOR FURTHER INFORMATION CONTACT: HCUP Project Officer, Agency for 
Healthcare Research and Quality, 540 Gaither Rd., Rockville, MD 20852, 
301-427-1410, or [email protected],

SUPPLEMENTARY INFORMATION:

I. Background on New System of Records, ``Online Application Ordering 
for HCUP Products From the Healthcare Cost and Utilization Project 
(HCUP)''

    AHRQ is establishing this new system of records to cover 
personally-identifiable information (PII) about individuals who 
purchase HCUP databases and software products for scientific research 
purposes through a new online ordering system. AHRQ's research mission, 
the HCUP databases, and the online ordering process for HCUP databases 
and software products are explained in more detail below.

A. AHRQ's Research Mission

    The Healthcare Research and Quality Act of 1999 (``the Act''), 
Public Law 106-129, amended Title IX of the Public Health Service act 
to establish AHRQ. The Act requires that AHRQ enhance the quality, 
appropriateness, and effectiveness of health services, and enhance 
access to such services, through the establishment of a broad base of 
scientific research and through the promotion of improvements in 
clinical and health systems practices, including the prevention of 
diseases and other health conditions. AHRQ promotes health care quality 
improvement by conducting and supporting:
    (1) Research that develops and presents scientific evidence 
regarding all aspects of health care;
    (2) Synthesis and dissemination of available scientific evidence 
for use by patients, consumers, practitioners, providers, purchasers, 
policy makers, and educato; and,
    (3) Initiatives to advance private and public efforts to improve 
health care quality.

B. The HCUP Databases

    AHRQ created a family of health care databases and related software 
tools and products known as the Healthcare Cost and Utilization Project 
(HCUP, pronounced ``H-Cup'') to conduct and support its research 
activities. HCUP was developed through a Federal-State Industry 
partnership and sponsored by AHRQ; it includes the largest collection 
of longitudinal hospital care data in the United States, with all-
payer, encounter-level information beginning in 1988. The HCUP 
databases are annual files that contain anonymous information from 
hospital discharge records for inpatient care and certain components of 
outpatient care, such as emergency care and ambulatory surgeries. The 
project currently releases six types of databases created for research 
use on a broad range of health issues, including cost and quality of 
health services, medical practice patterns, access to health care 
programs, and outcomes of treatments at the national, state, and local 
market levels. HCUP also produces a large number of software tools to 
enhance the use of administrative health care data for research and 
public health use. The software tools use information available from a 
variety of sources to create new data elements, often through 
sophisticated algorithms, for use with the HCUP databases.

[[Page 32655]]

C. The Ordering Process for HCUP Databases and Software

    To support AHRQ's mission to improve health care through scientific 
research, HCUP databases and software tools are disseminated to users 
outside of HHS through a mechanism known as the HCUP Central 
Distributor, which is operated by a private contractor. Databases and 
software disseminated through the HCUP Central Distributor are referred 
to as ``restricted access public release files;'' they are publicly 
available, but only under restricted conditions. The HCUP Central 
Distributor enables qualified researchers to access uniform research 
data across multiple states with the use of one application process, 
consisting of the following:
    (1) HCUP Application. All persons wanting access to the HCUP 
databases must complete the application process. For state databases, a 
description of the individual's planned use of the HCUP data will be 
reviewed to confirm that it is consistent with the data use 
restrictions that apply to the data. As an alternative to the online 
ordering form, paper versions of application packages will continue to 
be available for download at http://www.HCUP-us.AHRQ.gov/tech_assist/centdist.JSP.
    (2) HCUP Data Use Agreement Training. All persons wanting access to 
the HCUP databases must complete this online training course. The 
purpose of the training is to emphasize the importance of data 
protection, reduce the risk of inadvertent violations, and describe the 
individual's responsibility when using HCUP data. The training course 
can be accessed and completed online at http://www.HCUPus.AHRQ. gov/
tech_assist/dua.JSP.
    (3) HCUP Data Use Agreement (DUA). All persons wanting access to 
the HCUP databases must sign a data use agreement. Each database has a 
unique DUA; an example DUA for the Nationwide Inpatient Sample database 
is available at http://www.HCUP-us.AHRQ.gov/team/NISDUA.JSP.
    HCUP databases are released to researchers outside of AHRQ after 
the completion of required training and submission of an application 
that includes a signed HCUP Data Use Agreement (DUA). In addition, 
before restricted access public release state-level databases are 
released, the user is asked for a brief description of their research 
to ensure that the planned use is consistent with HCUP policies and 
with the HCUP data use requirements. Fees are set for databases 
released through the HCUP Central Distributor depending on the type of 
database. The fees for sale of state-level data are determined by each 
participating Statewide Data Organization and reimbursed to those 
organizations.

II. The Privacy Act

    The Privacy Act (5 U.S.C. 552a) governs the means by which the 
United States Government collects, maintains, and uses personally 
identifiable information (PII) in a system of records. A ``system of 
records'' is a group of any records under the control of a Federal 
agency from which information about individuals is retrieved by name or 
other personal identifier. The Privacy Act requires each agency to 
publish in the Federal Register a system of records notice (SORN) 
identifying and describing each system of records the agency maintains, 
including the purposes for which the agency uses PII in the system, the 
routine uses for which the agency discloses such information outside 
the agency, and how individual record subjects can exercise their 
rights under the Privacy Act (e.g., to determine if the system contains 
information about them).
SYSTEM NUMBER: 09-35-0003.

SYSTEM NAME:
    ``Online Application Ordering for Products from the Healthcare Cost 
and Utilization Project (HCUP)''.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Servers: The servers hosting the system will be housed at the 
Social & Scientific Systems data center located in Ashburn, VA.
    Portals: This system will be accessed via the Internet.
    System Software: System software will be maintained by Social & 
Scientific Systems, Silver Spring, MD.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The system will contain personally identifiable information (PII) 
about individual researchers who purchase HCUP databases through use of 
an HCUP online application that includes payment of a fee and execution 
of a Data Use Agreement placing restrictions on use of the HCUP data.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The system will contain the following categories of records and PII 
data elements:
    (1) HCUP Application Form, containing the individual's contact 
information (name, address, telephone number and email address), a 
coded number indicating that the individual completed the required HCUP 
Data Use Agreement Training, and a description of the individual's 
planned use of the HCUP data.
    (2) Transaction Records, containing information on the database 
and/or software order and contact information for purchaser. Credit 
card numbers or bank account information from electronic orders will 
not be stored in the system after the transaction is complete.
    (3) HCUP Data Use Agreement (DUA), containing the individual's 
signature and contact information.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    42 U.S.C. 299-299a; 42 U.S.C. 299c-2.

PURPOSE(S) OF THE SYSTEM:
    HHS/AHRQ will use PII from this system for the following purposes:
    (1) Business Transaction: Contact information will be used to 
communicate with the individual and to ship the data to the individual 
(e.g., on a disk or other media). The description of the individual's 
planned use of the HCUP data will be reviewed to confirm that it is 
consistent with the data use restrictions that apply to the data.
    (2) Payment Transaction: Credit card and bank account information 
will be used to complete orders for HCUP databases and software 
products. Credit card and e-check transactions collected by the HCUP 
information system will be transmitted securely to a PCI-compliant 
payment gateway for approval. The payment gateway will process the 
transaction and cause the funds to be transferred when the order is 
completed.
    (3) Enforcement of the HCUP Data Use Agreement (DUA): The 
individual's signature and contact information on the HCUP DUA and the 
coded number on the application form indicating completion of HCUP Data 
Use Agreement Training will be used in the event that the individual 
violates the DUA, to enforce the data use restrictions. Most of these 
restrictions have been put in place to safeguard the privacy of 
individuals and establishments represented in the data. For example, 
data users can only use the data for research, analysis, and aggregate 
statistical reporting and are prohibited from attempting to identify 
any persons in the data.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    The system may disclose records containing PII to parties outside 
HHS for the following routine uses:

[[Page 32656]]

    (1) Records may be disclosed to agency contractors who have been 
engaged by the agency to assist in accomplishment of the HHS function 
relating to the purposes of this system of records and who need to have 
access to the records in order to assist HHS.
    (2) Records may be disclosed to the Department of Justice (DOA a 
court, or an adjudicatory body when:
     The agency or any component thereof, or
     Any employee of the agency in his or her official 
capacity, or
     Any employee of the agency in his or her individual 
capacity where DOJ has agreed to represent the employee, or
     The United States Government, is a party to litigation or 
has an interest in such litigation and, by careful review, HHS 
determines that the records are both relevant and necessary to the 
litigation and that the use of such records by the DOJ, court or 
adjudicatory body is compatible with the purpose for which the agency 
collected the records.
    (3) Records may be disclosed to another federal agency or an 
instrumentality of any governmental jurisdiction within or under the 
control of the United States (including any State or local governmental 
agency), that administers, or that has the authority to investigate, 
potential fraud, waste or abuse in federally funded programs, when 
disclosure is deemed reasonably necessary by HHS to prevent, deter, 
discover, detect, investigate, examine, prosecute, sue with respect to, 
defend against, correct, remedy, or otherwise combat fraud, waste or 
abuse in such programs.
    (4) Records may be disclosed to appropriate federal agencies and 
Department contractors that have a need to know the information for the 
purpose of assisting the Department's efforts to respond to a suspected 
or confirmed breach of the security or confidentiality of information 
maintained in this system of records, when the information disclosed is 
relevant and necessary for that assistance.
    The system may also disclose PII data for any of the uses 
authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(2) and 
(b)(4)-(11).

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM--
STORAGE:
    Information will be collected via the online ordering application, 
fax, or email. Electronic records are stored in databases on magnetic 
tape, on magnetic disk and in secure electronic files at the 
contractor's location (Social & Scientific Systems in Ashburn, VA) and 
at the tape storage facility: Storage Village White Flint, North 
Bethesda, MD.
    Credit card or e-check information will not be stored in the 
information system's database after the transaction is completed. For 
those who cannot used the online application, the transaction can be 
completed with payments by check, purchase order, or wire transfer 
handled by fax or mail, and for these transactions, credit card or e-
check information is destroyed when the order is completed.

RETRIEVABILITY:
    The application and HCUP Data Use Agreement records will be 
retrieved by registrant/user name or User ID number.

SAFEGUARDS:
    The identifiable information collected will be transmitted to the 
hosting server via an encrypted Secure Socket Layer (SSL) connection. 
Access to the database housing the identifiable information is 
accomplished through individual authorized administrative accounts. The 
server housing the identifiable information is located in a data center 
owned by Social & Scientific Systems and is located in Ashburn, VA. The 
data center is protected via 24/7 guards at all entrances, video 
monitoring systems, biometric hand readers, cage locks, and system 
firewalls.
     The information stored is captured and transmitted over an 
SSL connection for secure encrypted transmission.
     Access to the database is only permissible at the 
administrator level and is done so either (a) in order to fulfill the 
applicants request, (b) for system maintenance, or (c) in the event of 
a DUA violation.
     The server housing the system is located in a secure 
facility with 24/7 guards at the entrance points, camera monitoring 
systems, biometric hand readers, and cage locks.
    The information collected by the electronic form will be stored in 
a SQL Server 2008 database. Data stored in the database will remain 
there indefinitely until requested by AHRQ. SSS performs nightly 
backups of the database. The backups are encrypted and stored offsite. 
At the conclusion of the contract, the information system as well as a 
current copy of the database can be provided to AHRQ by request.
    The information system uses a defense-in-depth strategy when it 
comes to user access. Users are assigned individual credentials along 
with role based least-privileged user account (LUA). The LUA approach 
ensures that users follow the principle of least privilege and always 
log on with limited user accounts. This strategy also aims to limit the 
use of administrative credentials to administrators, and then only for 
administrative tasks.

RETENTION AND DISPOSAL:
    Information in the application and Data Use Agreement will be 
retained for approximately twenty years, and may be kept longer if 
needed for enforcement, audit, legal, or other agency purposes. 
Retention is necessary for enforcement of data restrictions in the 
event of a Data Use Agreement violation. Storage will be in an 
electronic format that is encrypted, backed up, and stored in two 
secure locations.
    PII related to the business transaction will be retained for up to 
90 days so that a public user can return to their password protected 
account and complete their order. If a user forgets his/her password, 
the system will reset it and convey that information via email.
    Information related to the payment process will not be retained 
after the transaction has been completed. Payment options will include 
credit card, e-check, check, purchase order or wire transfer. 
Information to complete credit card and e-check transactions will be 
collected by the information system and transmitted securely to a PCI-
compliant payment gateway for approval. The payment gateway product 
will process the transaction and cause the funds to be transferred when 
the transaction is captured at the time of shipment. Credit card or e-
check information will not be stored in the information system's 
database. Payments by check, purchase order, or wire transfer will be 
handled by fax or mail.

SYSTEM MANAGER AND ADDRESS:
    HCUP Project Officer, Center for Delivery, Organization, and 
Markets, 540 Gaither Road, Rockville, MD 20850, Telephone: 301-427-
1410, [email protected].
    Individuals wishing to know if this system contains records about 
them should write to the System Manager.

RECORD ACCESS PROCEDURE:
    Individuals seeking access to records about them in this system 
should follow the same instructions indicated under ``Notification 
Procedure'' and indicate the record(s) to which access is sought (i.e., 
application form or HCUP Data Use Agreement).

CONTESTING RECORD PROCEDURES:
    Individuals seeking to contest the content of information about 
them in

[[Page 32657]]

this system should follow the same instructions indicated under 
``Notification Procedure.'' The request should reasonably identify the 
record, specify the information contested, state the corrective action 
sought, and provide the reasons for the correction, with supporting 
justification.

RECORD SOURCE CATEGORIES:
    All information will be collected directly from the individual 
applicants/users of the Web site, when they complete the online 
application forms.

EXEMPTIONS CLAIMED FOR THIS SYSTEM:
    None.

    Dated: May 21, 2013.
Carolyn M. Clancy,
AHRQ Director.
[FR Doc. 2013-12671 Filed 5-30-13; 8:45 am]
BILLING CODE 4160-90-M