System of Record Notice 09-15-0065
System Number: 09-15-0065
System Name: Smallpox Vaccine Injury Compensation Program, HHS/HRSA/OSP.
Security Classification: None.
Office of Special Programs, Health Resources and Services Administration, 4350 East-West Highway, 10th Floor, Bethesda, Maryland 20814.
Categories of Individuals Covered by the System: Individuals covered by the system are requesters and/or their representatives filing for benefits and other compensation under the Smallpox Vaccine Injury Compensation Program.
Categories of Records in the System: Records consist of documents that may include general or
congressional correspondence, requests, case number assignment, HHS responses, medical and legal documentation, employment documentation, documentation concerning services or benefits available from the United States or any third party (including any State or local governmental entity, private insurance carrier, or employer), payment information, and other related case processing documents.
Authority for Maintenance of the System: Management of the system is authorized by Pub. L. 108-20, the Smallpox Emergency Personnel Protection Act of 2003, enacted April 30, 2003 (42 U.S.C. 239 et seq.).
Purpose(s): The purpose of the system is to provide for benefits and other compensatory payments to certain individuals who sustained a covered injury as the direct result of the administration of smallpox countermeasures, and certain individuals who sustained a covered injury as a direct result of accidental vaccinia inoculation through contact with the foregoing persons or with individuals accidently inoculated by them, during a specified time period.
Routine uses of records maintained in the system, including categories of users and the purposes of such uses:
- Disclosure may be made to a congressional office from the record of a subject individual, in response to an inquiry from the congressional office made at the written request of that individual or his/her representative.
- Disclosure may be made to Federal, State or local Government entities or to private entities for the purpose of their providing information relevant to medical or legal documentation required for determinations of eligibility or payment, provided that such disclosure is compatible with the purpose for which the records were collected.
- Disclosure of records may be made to contractors engaged by the Department who need access to the records in order to assist the Department, e.g., expert consultants providing advice on requesters' eligibility for benefits and/or compensation. All such individuals shall be required to maintain Privacy Act safeguards with respect to such records and return all records to HRSA.
- Disclosure of records may be made to individuals and/or entities as necessary for the purposes of obtaining financial advice and providing benefits and other compensation to requestors approved for payment under the Program. All individuals and/or entities permitted disclosure for this use shall be required to maintain Privacy Act safeguards with respect to such records and return all records to HRSA.
- Disclosure of records may be made to a Federal agency administering aspects of the Program, as authorized by a Memorandum of Agreement between the Secretary and the head of the Federal agency, or to another Federal agency assisting in the accomplishment of a Departmental function relating to the purposes of this system of records, provided that such disclosure is compatible with the purposes for which the records are collected.
- Disclosure of records may be made in the event of litigation where the defendant is: (a) The Department, any component of the Department, or any employee of the Department in his or her official capacity; (b) The United States where the Department determines that the action, if successful, is likely to affect directly the operation of the Department or any of its components; or (c) Any Department employee in his or her individual capacity where the Department of Justice (DoJ) has agreed to represent such employee, for example, in defending an action against the Department in connection with such individual, disclosure may be made to DoJ to enable DoJ to present an effective defense, provided that such disclosure is compatible with the purpose for which the records were collected.
- Disclosure may be made in the event that a system of records maintained by this agency to carry out its functions indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or particular program statute, regulation, rule, or order issued pursuant
thereto, the relevant records in the system of records may be referred to the appropriate agency, whether Federal, State or local, charged with the responsibility of investigating or prosecuting such violation,
or charged with enforcing or implementing the statute, rule, regulation or order issued pursuant thereto, provided that such disclosure is compatible with the purpose for which the records were collected.
- A record may be disclosed for a medical research purpose, only when the Department has determined:
(a) That the use or disclosure does not violate legal or policy limitations under which the record was provided, collected, or obtained; (b) That the research purpose is consistent with the purpose for which the Program was formed; (c) That the proposed research is scientifically sound in its methods and analyses and is likely to answer the proposed research question; (d) That the information sought is not available from any other
source; and (e) That the record made available for medical research is redacted of all personal identifiers regarding injured individuals, health care practitioners and employers that are not essential for the accomplishment of the approved research purpose. (f) The recipient must:
- (1) Establish strict limitations acceptable to the Department concerning the receipt and use of any patient-identifiable data; (2) Establish reasonable administrative, technical, and physical safeguards and/or protocols acceptable to the Department to protect the confidentiality of the data and to prevent the unauthorized use or
disclosure of the record; (3) Remove or destroy the information that identifies an individual at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the research project; and
(4) Make no further use or disclosure of the record except when required by law. (a) Further, the Department must secure and approve a written statement attesting to the recipient's understanding of, and agreement
to abide by, these conditions of disclosure. Violation of these provisions is subject to penalties set forth under 5 U.S.C. 552a(i)(3) and any other applicable Federal law.
Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system:
- Storage: Records are maintained in file folders, on computer hard drives and/or disk packs, or in electronic media storage.
- Retrievability: Retrievability is by name of the requester, and by case number assigned based on the order in which a request form is filed.
- Assign Responsibility for Security: Responsibility is assigned to a management official knowledgeable in the nature of the information and process supported by the Smallpox Vaccine Injury Compensation Program (SVICP) request and in the management, personnel, operational, and technical controls used to protect it.
- Perform Risk Assessment: A risk assessment is to be conducted in conjunction with the development of, and prior to the approval of, the system design and will ensure that vulnerabilities, risks, and other security concerns are identified and addressed in the system design and throughout the life cycle of the project. This is consistent with the HHS Automated Information Systems Security Program Handbook (in particular Chapters V and X).
- Develop SVICP Request Security Plan: Plan for the adequate security of the SVICP request, taking into account the security of all systems in which the request will operate. SVICP request security plans shall address request rules, training on use of the system, personnel security, contingency planning, technical controls, information sharing, and public access controls.
- Review SVICP Request Controls: Perform an independent review or audit of the SVICP request security control in accordance with applicable Federal requirements and/or guidelines.
- Authorize Processing: Ensure that a management official authorizes, in writing, confirmation that the security plan as implemented adequately securesthe SVICP request. The SVICP request must be authorized prior to operating and reauthorized in accordance with applicable Federal
requirements and/or guidelines.
- Implementation Guidelines: DHHS Chapter 45-13 and supplementary Chapter PHS.hf: 45-13 of the General Administration Manual; the DHHS Automated Information Systems Security Program Handbook; and Appendix III to OMB Circular No. A-130; Appendix I, ``Federal Agency Responsibilities for Maintaining Records About Individuals.''
Retention and disposal: Records will be retained and disposed of in accordance with the Records Control Schedule of the Health Resources and Services Administration.
System manager(s) and address:
Director, Office of Special Programs, Health Resources and Services Administration, 5600 Fishers Lane, Room 16C-17, Rockville, Maryland 20857, or the Director's designee.
Notification procedure: Requests must be made to the System Manager.
Requests by mail: Requests for information and/or access to records received by mail must contain information providing the identity of the writer, and a reasonable description of the record desired, and whom it concerns. Written requests must contain the name and address of the requester, his/her date of birth and his/her signature for comparison purposes. Requests must be notarized to verify the identity of the requester, or the requester must certify that (s)he is the individual who (s)he claims to be and that (s)he understands that to knowingly and willfully request or acquire a record pertaining to another individual under false pretenses is a criminal offense under the Privacy Act subject to a $5,000 fine (45 CFR 5b.5(b)(2)(ii)).Requests in person or by telephone, electronic mail or facsimile cannot be honored.
Record access procedures: Record access procedures are the same as notification procedures.
Requesters should also provide a reasonable description of the contents of the record being sought. A parent or guardian who requests notification of, or access to, a minor's/incompetent person's medical record shall designate a family physician or other health professional (other than a family member) to whom the recrd, if any, will be sent.
The parent or guardian must verify relationship to the minor/ incompetent person as well as his/her own identity. Records will be mailed only to the requester's address that is on file, unless a different address is demonstrated by official documentation.
Contesting record procedure: To contest a record in the system, contact the System Manager at the address specified above and reasonably identify the record, specify the information being contested, and state the corrective action sought and the reason(s) for requesting the correction, along with supporting documentation to show how the record is inaccurate, incomplete, untimely, or irrelevant.
Record source categories: Sources of records include, but are not limited to, requesters and/ or their representatives under the Smallpox Vaccine Injury Compensation Program, and any other sources of information or documentation submitted by any other person or entity for inclusion in a request for the purpose of determining medical or legal eligibility for, or amount of benefits and/or compensation under, the Program (e.g., Federal,
State, or local government or private health care entities participating in the administration of covered countermeasures under the Declaration).
Systems exempted from certain provisions of the act: None.