System of Record Notice 09-15-0055

SYSTEM NAME AND NUMBER: Organ Procurement and Transplantation Network (OPTN)/ Scientific Registry of Transplant Recipients (SRTR) Data System, HHS/ HRSA/HSB/DoT, 09-15-0055

SECURITY CLASSIFICATION: Unclassified

SYSTEM LOCATION: The address of the agency component responsible for the system of records is:

HRSA Division of Transplantation
Health Systems Bureau
5600 Fishers Lane
Rockville, MD 20857

Service provider addresses:

• OPTN Contractor:
  United Network for Organ Sharing (UNOS)
  700 N 4th Street
  Richmond, VA 23219
• SRTR Contractor:
  Chronic Disease Research Group of the Hennepin Healthcare Research Institute
  701 Park Avenue
  Suite S4-100
  Minneapolis, MN 55415

SYSTEM MANAGER(S): The system managers are as follows:

• For OPTN records: United Network for Organ Sharing (UNOS), email address privacy@unos.org, telephone (888) 894–6361.
• For SRTR records: Chronic Disease Research Group (CDRG), Hennepin Healthcare Research Institute, email address support@srtr.org, telephone (877) 970–7787.
• Contact information for HRSA Division of Transplantation: Division of Transplantation, Health Systems Bureau, HRSA, email address donation@hrsa.gov, telephone (301) 443–7577.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM: 42 U.S.C. 274 requires that the HHS Secretary, by contract, provide for the establishment and operation of an organ procurement and transplantation network, and 42 U.S.C. 274a requires that the Secretary, by grant or contract, develop and maintain a scientific registry of the recipients of organ transplants. 42 U.S.C., 274(b)(2)(H) and CFR part 121 authorize OPTN’s and SRTR’s collection of the information included in this system of records. In addition, 42 U.S.C. 273a authorizes HHS to establish and maintain mechanisms to evaluate the long-term effects associated with living donations. Federal regulations at 42 CFR 121.11 also authorize the OPTN and SRTR to collect information concerning living organ donors and prospective living organ donors as the Secretary deems appropriate.

PURPOSE(S) FOR RECORDS IN THIS SYSTEM: Records are used by the Department, the OPTN, the OPTN contractor, and the SRTR contractor to: (1) facilitate organ placement and match donor organs with recipients; (2) monitor compliance of member organizations with federal laws and regulations and with OPTN bylaws and policies, including risks to the health of patients or to the public safety; (3) review and report periodically to the public on the status of organ donation and transplantation in the United States; (4) provide data to researchers and government agencies to study the scientific and clinical status of organ donation and transplantation; (5) perform transplantation-related public health surveillance including possible transmission of donor disease; (6) provide data on individuals with records in the system to HHS' Centers for Medicare & Medicaid Services (CMS) and to contractors of CMS business associates, with appropriate limitations, data protections, and safeguards including execution of a written agreement attesting to the data recipient's understanding of, and willingness to abide by these provisions, for purposes including to monitor the individual's status in the OPTN system and to inform the individual's clinical care in order to assist in registering candidates on the waitlist and in facilitating organ placement and matching donor organs with recipients; and (7) provide data on individuals with records in the system to health care professionals providing clinical care to those individuals, for purposes including to monitor the individual's status in the OPTN system and to inform the individual's clinical care in order to assist in registering candidates on the waitlist and in facilitating organ placement and matching donor organs with recipients.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: Records pertain to the following categories of individuals (note that all categories are limited to living individuals):

1. Individuals from whom organs have been obtained for transplantation.
2. Individuals who are candidates for receiving organ transplantation.
3. Individuals who have been recipients of transplanted organs.
4. Individuals who are potential deceased organ donors.
5. Individuals who are potential living organ donors or individuals who intend to become living organ donors (even if the donation does not occur).
6. Individuals who donate organs for transplantation.
7. Individuals being evaluated for transplant receipt.

CATEGORIES OF RECORDS IN THE SYSTEM: The records consist of information about potential donors and transplant candidates required for organ matching and placement and follow-up. Categories of records include donor registration, transplant candidate registration, transplant recipient registration, histocompatibility, transplant recipient follow-up, donor follow-up, registration of prospective organ donors who did not become donors, forms, and other non-registry operational information. Data elements include: name, Social Security number, address, identifiers assigned by OPTN and SRTR contractors, hospital and hospital provider number, State and zip code of residence, citizenship, race/ethnicity, sex at birth, date and time of organ recovery, and transplantation, name of transplant center, histocompatibility information, donor medical information, recipient and donor medical information before and after transplantation, immunosuppressive medication, health care coverage, employment, and education level.

RECORD SOURCE CATEGORIES: Individuals' records are provided to the OPTN contractor and SRTR contractor by organ procurement organizations, histocompatibility laboratories, organ transplant centers, and health care providers which obtain the information directly from individuals or their representatives. Records may also be supplemented with information from other sources of data, such as CMS and other organizations.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES: In addition to other disclosures authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(1) and (2) and (b)(4) through (11), records about an individual may be disclosed from this system of records without the individual's prior written consent, to the following non-HHS parties for the following purposes:

1. HRSA may disclose records to Departmental contractors and/or their subcontractors who have been engaged by the Department to assist in accomplishment of a Departmental function relating to the purposes for this system of records and who require access to the records in order to assist the Department.
2. HRSA, independently and through its contractor(s), may disclose records regarding potential deceased organ donors (who are still living), living and potential living organ donors, organ transplant candidates, and organ transplant recipients, to members of the OPTN Board of Directors, OPTN Committees, and OPTN Review Boards. Such disclosures will be shared only on a need to know basis in order for members of the OPTN Board of Directors, Committees, and Review Boards to do the work required of them for the operation of the OPTN relating to the purposes of this system of records, including matching donor organs with recipients, monitoring compliance of member organizations with Federal laws and regulations and OPTN bylaws and policies and for risks to the health of patients or for the public safety and transplantation-related public health surveillance. Generally, such information is not shared in a patient-identified or identifiable manner.
3. HRSA, independently and through its contractor(s), may disclose records regarding living individuals who are potential deceased or potential living donors, potential organ transplant candidates, and organ transplant recipients, to transplant centers, histocompatibility laboratories, organ procurement organizations, and other public health agencies such as Surveillance Epidemiology and End Results Program registries, State registries, and State health agencies, for purposes including: matching donor organs with recipients, monitoring compliance of member organizations with federal laws and regulations and OPTN requirements, reviewing and reporting periodically to the public on the status of organ donation and transplantation in the United States, and transplantation-related public health surveillance. These records consist of Social Security numbers, other patient identification information, and pertinent medical information.
4. HRSA may disclose records to the Department of Justice (DOJ) or to a court or other tribunal in litigation involving, as a defendant, (a) the Department, any component of the Department, or any employee of the Department in his or her official capacity; (b) the United States where the Department determines that the claim, if successful, is likely to affect directly the operation of the Department or any of its components; or (c) any Department employee in his or her individual capacity where the DOJ has agreed to represent such employee, for example, in defending a claim against the Public Health Service in connection with such individual, for the purpose of enabling DOJ to present an effective defense.
5. HRSA may disclose records to DOJ or to a court or other tribunal in the event of pending or potential litigation involving the Department or the United States as a plaintiff, intervenor, or amicus, or involving the contractor for the OPTN or the SRTR as a defendant in connection with its role as a contractor for the OPTN or the SRTR, or involving the OPTN.
6. HRSA may disclose records to a congressional office from the record of an individual in response to a written inquiry from the congressional office made at the written request of that individual.
7. A record may be disclosed for a research purpose, when the Department, independently or through its contractor(s):
   1. Has determined that the use or disclosure does not violate legal or policy limitations under which the record was provided, collected, or obtained;
   2. Has determined that a bona fide research/analysis purpose exists;
   3. Has required the data recipient to: (1) establish strict limitations concerning the receipt and use of patient-identified or center-identified data; (2) establish reasonable administrative, technical, and physical safeguards to protect the confidentiality of the data and to prevent the unauthorized use or disclosure of the record; (3) remove, destroy, or return the information that identifies the individual or center at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the research project, unless the data recipient has presented adequate justification of a research or health nature for retaining such information; and (4) make no further use or disclosure of the record except as authorized by HRSA or its contractor(s) or when required by law;
   4. Has determined that other applicable safeguards or protocols will be followed; and
   5. Has secured a written statement attesting to the data recipient's understanding of, and willingness to abide by, these provisions.
8. Records may be disclosed to appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records, (2) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the federal government, or national security, and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS' efforts to respond to the suspected or confirmed breach or to prevent, minimize or remedy such harm.
9. Records may be disclosed to another federal agency or federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the federal government, or national security, resulting from a suspected or confirmed breach.
10. A record may be disclosed to physicians or other health care professionals providing clinical treatment to such individuals, for clinical purposes, when the Department, independently or through its contractor(s):
    1. Has determined that the use or disclosure does not violate legal or policy limitations under which the record was provided, collected, or obtained;
    2. Has required the data recipient to:
       1. Establish strict limitations concerning the receipt and use of patient-identified or center-identified data;
       2. Establish reasonable administrative, technical, and physical safeguards to protect the confidentiality of the data and to prevent the unauthorized use or disclosure of the record;
       3. Remove, destroy, or return the information that identifies the individual or center at the earliest time at which removal or destruction can be accomplished consistent with the clinical purpose of the project, unless the data recipient has presented adequate justification of a research or health nature for retaining such information;  
       4. Make no further use or disclosure of the record except as authorized by HRSA or its contractor(s) or when required by law; and
       5. Require any business associates of the data recipient to which the data recipient is authorized to disclose the record and does disclose the record, whether in original or derivative form, and to prohibit such a business associate from making any further use or disclosure of the record except as authorized by HRSA or its contractor(s) or when required by law; and
    3. Has secured a written statement from the data recipient attesting to the data recipient's understanding of, and willingness to abide by these provisions.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS: Records are maintained electronically and in hard-copy files.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS: Records in the system are retrieved by more than one type of personal identifier, including name and social security number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS: The records are currently unscheduled and retained indefinitely pending completion of a disposition schedule approved by the National Archives and Records Administration (NARA).

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

1. Authorized users: Access is limited to authorized HRSA and contract personnel responsible for administering the program. Authorized personnel include the System Manager and HRSA Contracting Officer's Representative, and the HRSA Automated Information System (AIS) Systems Security Officer; and the program managers/program specialists who have responsibilities for implementing the program. Both HRSA and its contractor(s) are required to maintain current lists of authorized users.
2. Physical safeguards: Computer equipment, electronic files, and hard-copy files are stored in areas where fire and life safety codes are strictly enforced. All electronic and hard-copy files are protected on a 24-hour basis. Security guards perform random checks on the physical security of the files storage area. The OPTN and SRTR contractors are required to maintain off-site a complete copy of the system and all necessary files to run the computer organ donor-recipient match and update software.
3. Procedural safeguards: A password is required to access the terminal, and a data set name controls the release of data to only authorized users. All users of personal information in connection with the performance of their jobs protect information from public view and from unauthorized personnel entering an unsupervised office. All authorized users must sign a nondisclosure statement. Access to records is limited to those staff members trained in accordance with the Privacy Act and Automated Data Processing (ADP) security procedures. The contractors are required to assure that the confidentiality safeguards of these records will be employed and that it complies with all provisions of the Privacy Act. All individuals who have access to these records must have the appropriate ADP security clearances. Privacy Act and ADP system security requirements are included in the contracts. The HRSA Contracting Officer's Representatives and the System Manager(s) oversee compliance with these requirements. The HRSA authorized users make visits to the contractors' facilities to assure security and Privacy Act compliance. The contractors are required to adhere to a HRSA approved system security plan.

RECORDS ACCESS PROCEDURES: Individuals may request access to records about them in this system of records by submitting a written access request to the OPTN or SRTR contractor identified in the “System Manager(s)” section of this SORN at the email address provided in that section. The request must contain the individual's full name, address, date of birth, and signature; the name of the applicable transplant center; and a reasonable description of the records sought. To verify the requester's identity, the signature must be notarized or the request must include the requester's written certification that the requester is the individual who the requester claims to be and that the requester understands that the knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense subject to a fine of up to $5,000. The individual may also request an accounting of disclosures that have been made of the records, if any.

A parent or guardian who requests access to records about a minor or an individual with diminished capacity must verify his or her relationship to the minor or incompetent individual as well as his/her own identity.

CONTESTING RECORDS PROCEDURES: Individuals may seek to amend a record about them in this system of records by submitting a written amendment request to the OPTN contractor or SRTR contractor identified in the “System Manager(s)” section of this SORN at the email address provided in that section, with a copy to the HRSA Division of Transplantation at the email address indicated, containing the same information required for an access request. The request must include verification of the requester's identity in the same manner required for an access request and must reasonably identify the relevant record, specify the information being contested and the corrective action sought, and include reasons for requesting the correction, along with supporting documentation, to show how the record is inaccurate, incomplete, untimely, or irrelevant.

NOTIFICATION PROCEDURE: Individuals who wish to know if this system of records contains a record about them must submit a written notification request to the OPTN or SRTR contractor identified in the “System Manager(s)” section of this SORN, at the email address provided in that section. The request must contain the same information required for an access request and must include verification of the requester's identity in the same manner required for an access request.

EXEMPTIONS PROMULGATED FOR THE SYSTEM: None.

HISTORY: 74 FR 57184 (Nov. 4, 2009), 83 FR 6591 (Feb. 14, 2018).