[Privacy Act Issuances (2003)] [DEPARTMENT OF HEALTH AND HUMAN SERVICES] [Centers for Medicare] [From the U.S. Government Printing Office, www.gpo.gov] 09-70-0542 System name: MLN Registration and Product Ordering System, (MLNR-POS), HHS/ CMS/CMM. Security classification: Level 3, Privacy Act Sensitive. System location: HCFA Data Center, 7500 Security Boulevard, North Building, First Floor, Baltimore, Maryland 21244-1850. CMS contractors and agents at various locations. Categories of individuals covered by the system: This system will contain the health care provider's first and last name, mailing address, provider type, facility type, telephone number, fax numbers and e-mail address. The data submission by the health care provider is voluntary. This system may collect social security number, provider number, UPIN number or contractor ID number. Categories of records in the system: This system will contain the health care provider's first and last name, mailing address, provider type, facility type, telephone number, fax numbers and e-mail address. The data submission by the health care provider is voluntary. This system may collect social security number, provider number, UPIN number or contractor ID number. Authority for maintenance of the system: Title IV of the Benefits Improvement Protection Act of 2000 (Pub. L. 106-554, Appendix F) Title IV of the Balanced Budget Act of 1997 Sections 1816(a) and 1842(a)(3) of the Social Security Act Purpose(s): The primary purpose of the system of records is to provide CMS with greater efficiency in MLNR-POS product fulfillment and improve management of MLNR-POS educational product inventory. This system will also provide CMS with an automated registration system that will allow health care providers to register for CMS educational programs and order CMS educational products. If in the event that CMS becomes an accredited provider of continuing education credits, this system will provide CMS with the ability to track awarded continuing education credits as required by the accrediting organizations. Routine uses of records maintained in the system, including categories of users and the purposes of such uses: These routine uses specify circumstances, in addition to those provided by statute in the Privacy Act of 1974, under which CMS may release information from the MLNR-POS Registration and Product Ordering System without the consent of the individual to whom such information pertains. Each proposed disclosure of information under these routine uses will be evaluated to ensure that the disclosure is legally permissible, including but not limited to ensuring that the purpose of the disclosure is compatible with the purpose for which the information was collected. In addition, CMS policy will be to prohibit release even of non-identifiable data, except pursuant to one of the routine uses, if there is a possibility that an individual can be identified through implicit deduction based on small cell sizes (instances where the patient population is so small that individuals who are familiar with the enrollees could, because of the small size, use this information to deduce the identity of the beneficiary). Be advised, this System of Records contains Protected Health Information as defined by the Department of Health and Human Services' (HHS) regulation ``Standards for Privacy of Individually Identifiable Health Information'' (45 CFR parts 160 and 164, 65 FR 8462 as amended by 66 FR 12434). Disclosures of Protected Health Information authorized by these routine uses may only be made if, and as, permitted or required by the ``Standards for Privacy of Individually Identifiable Health Information.'' 1. To agency contractors, or consultants that have been contracted by the agency to assist in the performance of a service related to this system of records and that need to have access to the records in order to perform the activity. 2. To a Member of Congress or to a Congressional staff member in response to an inquiry of the Congressional Office made at the written request of the constituent about whom the record is maintained. 3. To the Department of Justice (DOJ), court or adjudicatory body when: a. The agency or any component thereof; or b. Any employee of the agency in his or her official capacity; or c. Any employee of the agency in his or her individual capacity where the DOJ has agreed to represent the employee; or d. The United States Government; is a party to litigation or has an interest in such litigation, and by careful review, CMS determines that the records are both relevant and necessary to the litigation. Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system: Storage: Records are stored on paper and magnetic media. Retrievability: The health care provider, through their self-identified user ID and password can retrieve their own records. Those with database administrative access may also access the database information. Safeguards: CMS has safeguards for authorized users and monitors such users to ensure against excessive or unauthorized use. Personnel having access to the system have been trained in the Privacy Act and systems security requirements. Employees who maintain records in the system are instructed not to release any data until the intended recipient agrees to implement appropriate administrative, technical, procedural, and physical safeguards sufficient to protect the confidentiality of the data and to prevent unauthorized access to the data. In addition, CMS has physical safeguards in place to reduce the exposure of computer equipment and thus achieve an optimum level of protection and security for the CMS system. For computerized records, safeguards have been established in accordance with HHS standards and National Institute of Standards and Technology guidelines; e.g., security codes will be used, limiting access to authorized personnel. System securities are established in accordance with HHS, Information Resource Management Circular
10, Automated Information Systems Security Program; CMS Information Systems Security, Standards Guidelines Handbook and OMB Circular No. A-130 (revised) Appendix III. Retention and disposal: Records are disposed of in accordance with established CMS, Privacy Act and HIPAA retention guidelines. CMS will conduct periodic reviews to determine if these records are historical and should be placed in permanent files after established retention periods and administrative needs of CMS have elapsed. The records are maintained online in the system for 8 years. After an 8-year period, the records are transferred to an inactive file and destroyed 2 months later. Note: The Department of Justice issued a directive in 1992 prohibiting the destruction of Medicare claims/administrative records. Therefore, all Medicare claims-related/administrative data will be retained until the freeze is lifted.'' System manager(s) and address: Director, Provider Communications Group (PCG), Center for Medicare Management, CMS, Mail Stop S1-05-06, 7500 Security Boulevard, Baltimore, Maryland, 21244-1850. Notification procedure: For purpose of access, the subject individual should write to the system manager, who will require the system name, the subject individual's name (woman's maiden name, if applicable), social security number (SSN) (furnishing the SSN is voluntary, but it may make searching for a record easier and prevent delay), address, date of correspondence and control number. Record access procedures: For purpose of access, use the same procedures outlined in Notification Procedures above. Requestors should also reasonably specify the record contents being sought. (These procedures are in accordance with Department regulation 45 CFR 5b.5(a)(2).) Contesting record procedures: The subject individual should contact the system manager named above, and reasonably identify the record and specify the information to be contested. State the corrective action sought and the reasons for the correction with supporting justification. (These procedures are in accordance with Department regulation 45 CFR 5b.7.) Record source categories: Data submission is voluntary and is self reported by the health care provider. Systems exempted from certain provisions of the act: None.