• Ricky Ray Program Office, Bureau of Health Professions, Health Resources and Services Administration, Room 8-05, Parklawn Building, 5600 Fishers Lane, Rockville, Maryland 20857.

1. Disclosure may be made to a Congressional office from the record of an individual petitioner, in response to an inquiry from the Congressional office made at the request of the petitioner.
2. In the event of litigation where the defendant is:
   (a) The Department, any component of the Department, or any ehtployee of the Department in his or her official capacity;
   (b) The United States where the Department determines that the claim, if successful, is likely to directly affect the operations of the Department or any of its components; or
   (c) Any Department employee in his or her individual capacity where the Justice Department has agreed to represent such employee, for example in defending against a claim based upon an individual’s mental or physical condition and alleged to have arisen because of activities of the Public Health Service in connection with such individual, the Department may disclose such records as it deems desirable or necessary to the Department of Justice to enable that Department to present an effective defense, provided that such disclosure is compatible with the purpose for which the records were collected.
3. HRSA may disclose records to Department contractors and subcontractors for the purposes of conducting data analysis for program evaluations, compiling managerial and statistical reports, and record systems processing and refinement.
4. HRSA may contract with expert consultants for the purpose of obtaining advice on petitioner’s eligibility for compensation.Relevant records may be disclosed to such consultants. The consultants shall be required to maintain Privacy Act safeguards with respect to such records and return all records to HRSA.
5. In the event that a system of records maintained by this agency to carry out its functions indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or particular program statute, regulation, rule, or order issued pursuant thereto, the relevant records in the system of records may be referred to the appropriate agency, whether Federal, State or local, charged with the responsibility of investigating or prosecuting such violation, or
   charged with enforcing or implementing the statute, rule, regulation or order issued pursuant thereto, provided that such disclosure is compatible with the purpose for which records were collected.

Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system:

• Storage: Records are maintained in file folders, on computer hard drives and/or disk packs.
• Retrievability: Retrievability will be by case number and/or name of petitioner.
• Safeguards:
  
  
  1. Assign Responsibility for Security: Assign responsibility for security to a management official knowledgeable in the nature of the information and process supported by the application and in the management, personnel, operational, and technical controls used to protect it.
  2. Perform Risk Assessment: A risk assessment shall be conducted in conjunction with the development of and prior to the approval of the system design and shall ensure that vulnerabilities, risks, and other security concerns are identified and addressed in the system design and throughout the life cycle of the project. This shall be consistent with the HHS Automated Information Systems Security Program Handbook (in particular Chapters V and X).
  3. Develop Application Security Plan: Plan for the adequate security of the application, taking into account the security of all systems in which the application will operate. Application security plans shall address application rules, training on use of the system, personnel security, contingency planning, technical controls, information sharing, and public access controls.
  4. Review Application Controls: Perform an independent review or audit of the security control in the application at least every 3 years.
  5. Authorize Processing: Ensure that a management official authorizes in writing confirming that its security plan as implemented adequately secures the application. The application must be authorized prior to operating and reauthorized at least every 3 years thereafter. Management authorization implies accepting the risk of each system used by the application.
  6. Implementation Guidelines: DHHS Chapter 45-13 and supplementary Chapter PHS.hf: 45-13 of the General Administration Manual; the DHHS Automated Information Systems Security Program Handbook; and Appendix III to 0MB Circular No. A-l30; Appendix I, Federal Agency Responsibilities for Maintaining Records About Individuals.

Retention and disposal: Records will be retained for 6 years after the program is closed, and then destroyed.

System manager(s) and address:

• Program Manager, Ricky Ray Program Office, Bureau of Health Professions, Health Resources and Services Administration, Parklawn Building, Room 8-05, 5600 Fishers Lane, Rockville, MD 20857.

Notification procedure: Requests must be made to the System Manager.

Requests in person: An individual who appears at the site where records are stored seeking access to or disclosure of records relating to him/her shall provide his/her name, current address, and at least one piece of identification such as driver’s license, passport, voter registration card, or union card. Identification with a current photograph is preferred but not required. Additional identification may be requested when there is a request for access to records which contain an apparent discrepancy between information contained in the records and that provided by the individual requesting access to the records. No verification of identity shall be required where the record is one which is required to be disclosed under the Freedom of Information Act.

Requests by mail: Requests for information and/or access to records received by mail must contain information providing the identity of the writer and a reasonable description of the record desired. Written requests must contain the name and address of the requester, his/her date of birth and his/her signature for comparison purposes.

Requests by telephone: Since positive identification of the caller cannot be established, telephone requests are not honored.

Record access procedures: Same as notification procedures. Requesters should also reasonably specify the record contents being sought. Individuals may also request an accounting of disclosures that may have been made of their records, if any.

Contesting record procedure: Contact the System Manager at the address specified above and reasonably identify the record, specify the information being contested, and state the corrective action and the reason(s) for requesting the correction, along with supporting justification to show how the record is inaccurate, incomplete, untimely, or irrelevant.

Record source categories: Petitioners and/or their representatives under the Ricky Ray Hemophilia Relief Fund Act of 1998.

Systems exempted from certain provisions of the act: None.