System of Record Notice 09-15-0071

SYSTEM NUMBER: 09-15-0071

SYSTEM NAME: Countermeasures Injury Compensation Program, HHS/HRSA/HSB.

SECURITY CLASSIFICATION: None.

SYSTEM LOCATION: Healthcare Systems Bureau (HSB), Health Resources and Services Administration (HRSA), 5600 Fishers Lane, Room 11C-06, Rockville, Maryland 20857.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: Individuals covered by the system are injured countermeasure recipients or their representatives, survivors of such recipients or their representatives, and representatives of the estates of deceased injured countermeasure recipients, filing for benefits under the Countermeasures Injury Compensation Program (CICP or the Program).

CATEGORIES OF RECORDS IN THE SYSTEM: Records consist of documents that may include, but are not limited to, general or congressional correspondence, requests, case number assignment, HHS responses to correspondence, medical and legal documentation, employment documentation, documentation concerning services or benefits available from the United States or any third party (including any State or local governmental entity, private insurance carrier, or employer), payment information, and other related case processing documents.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM: The authority for maintaining this system of records is 42 U.S.C. 247d-6e. Management of the system is authorized by P.L. 109‑148, the Public Readiness and Emergency Preparedness Act (PREP Act), enacted on December 30, 2005 (42 U.S.C. 247d-6e).

PURPOSE(S): The purpose of the system is to provide benefits to certain individuals who have sustained a covered injury as a result of the administration or use of a covered countermeasure, and to provide benefits to the survivors and/or estates of deceased injured countermeasure recipients. Requests for Benefits must be submitted to the CICP no later than (one) 1 year from the date the recipient was administered or used a covered countermeasure.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

1. Disclosure may be made to a Congressional office from the record of a subject individual, in response to an inquiry from the Congressional office made at the written request of that individual or his/her legal or personal representative.

2. Disclosure may be made to Federal, State or local Government entities or to private entities for the purpose of their providing information relevant to medical, legal, or financial (e.g., insurance, payment) documentation required for determinations of eligibility or payment, provided that such disclosure is compatible with the purpose for which the records were collected.

3. Disclosure of records may be made to contractors engaged by the Department who need access to the records in order to assist the Department, e.g., medical experts or consultants providing advice on requesters’ eligibility for benefits. All such individuals shall be required to maintain Privacy Act safeguards with respect to such records and return all records to HRSA and not retain any copies.

4. Disclosure of records may be made to contractors engaged by the Department who need access to the records in order to assist the Department in evaluating the effectiveness of the CICP.

5. Disclosure of records may be made to individuals and/or entities as necessary for the purposes of obtaining financial advice and providing benefits to requesters approved for payment under the Program. All individuals and/or entities permitted disclosure for this use shall be required to maintain Privacy Act safeguards with respect to such records and return all records to HRSA without retaining any copies.

6. Disclosure of records may be made to a Federal agency assisting in the accomplishment of a Departmental function relating to the purposes of this system of records, provided that such disclosure is compatible with the purposes for which the records are collected, or to a Federal agency administering aspects of the Program, as authorized by a Memorandum of Agreement between the Secretary or her designee and the head of the Federal agency or designee.

7. Disclosure of records may be made in the event of litigation where the defendant is:

(a) the Department, any component of the Department, or any employee of the Department in his or her official capacity;

(b) the United States where the Department determines that the action, if successful, is likely to affect directly the operation of the Department or any of its components; or

(c) any Department employee in his or her individual capacity where the Department of Justice (DOJ) has agreed to represent such employee, for example, in defending an action against the Department in connection with such individual, disclosure may be made to DOJ to enable DOJ to present an effective defense, provided that such disclosure is compatible with the purpose for which the records were collected.

8. Disclosure may be made in the event that a system of records maintained by this agency to carry out its functions indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or particular program statute, regulation, rule, or order issued pursuant thereto, the relevant records in the system of records may be referred to the appropriate agency, whether Federal, State or local, charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, rule, regulation or order issued pursuant thereto, provided that such disclosure is compatible with the purpose for which the records were collected.

9. A record may be disclosed to researchers for a scientific research purpose, only when the Department has determined:

(a) That the use or disclosure does not violate legal or policy limitations under which the record was provided, collected, or obtained;

(b) That the research purpose is consistent with the purpose for which the Program was formed;

(c) That the proposed research is scientifically sound in its methods and analyses and is likely to answer the proposed research question;

(d) That the information sought is not available from any other source;

(e) That the record made available for scientific research is redacted of all personal identifiers regarding injured individuals, health care practitioners and employers that are not essential for the accomplishment of the approved research purpose, and;

(f) That the recipient of records for scientific research purposes:

(1) Established strict limitations acceptable to the Department concerning the receipt and use of any patient-identifiable data;

(2) Established reasonable administrative, technical, and physical safeguards and/or protocols acceptable to the Department to protect the confidentiality of the data and to prevent the unauthorized use or disclosure of the record;

(3) Removes or destroys the information that identifies an individual at the earliest time that removal or destruction can be accomplished consistent with the purpose of the research project;

(4) Makes no further use or disclosure of the record except when required by law; and

(5) Secures and approves a written statement attesting to the recipient's understanding of, and agreement to abide by, these conditions of disclosure.

Violation of these provisions is subject to penalties set forth under 5 U.S.C. 552a(i)(3) and any other applicable Federal law.

10. Disclosure of records may be made to appropriate federal agencies and Department contractors that have a need to know the information for the purpose of assisting the

Department’s efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, and the information disclosed is relevant and necessary for that assistance.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING AND DISPOSING OF RECORDS IN THE SYSTEM:

STORAGE: Records are maintained in file folders, on computer hard drives and shared drives, and/or in electronic media storage.

RETRIEVABILITY: Records can be retrieved by the requester’s name and by the case number assigned based on the order in which the Letter of Intent to File a Request for Benefits or the Request for Benefits form is filed.

SAFEGUARDS:
1. Assign Responsibility for Security: Responsibility is assigned to a CICP management official who is knowledgeable about the nature of the information in this system of records, the process of reviewing records contained in it, and in the management, personnel, operational, and technical controls used to protect it.

2. Perform Risk Assessment: A risk assessment is to be conducted in conjunction with the development of, and prior to the approval of, the system design and will ensure that vulnerabilities, risks, and other security concerns are identified and addressed in the system design and throughout the life cycle of the project. This is consistent with the Information Security Program Policy, HHS IRM Policy 2004-002.001 (Dec. 15, 2004), Section 3.7.3.

3. Develop CICP Request Security Plan: Plan for the adequate security of the CICP Request for Benefits system, taking into account the security of all systems in which Requests for Benefits will operate. CICP request security plans shall address request rules, training on use of the system, personnel security, contingency planning, technical controls, information sharing, and public access controls.

4. Review CICP Request for Benefits System Controls: Perform an independent review or audit of the CICP Request for Benefits system security control in accordance with applicable Federal requirements and/or guidelines.

5. Authorize Processing: Ensure that a management official authorizes, in writing, confirmation that the security plan as implemented adequately secures the CICP Request for Benefits system. The CICP Request for Benefits system must be authorized prior to operating and reauthorized in accordance with applicable Federal requirements and/or guidelines.

6. Implementation Guidelines: DHHS Chapter 45-13 “Safeguarding Records Contained in Systems of Records;” the Information Security Program Policy, HHS IRM Policy 2004-002.001 (Dec. 15, 2004); and Appendix III to OMB Circular No. A-130 “Security of Federal Automated Information Resources;” Appendix I to OMB Circular No. A-130, “Federal Agency Responsibilities for Maintaining Records About Individuals.”

RETENTION AND DISPOSAL: HRSA is working with NARA to obtain the appropriate retention value. Records will be retained and disposed of in accordance with the Records Control Schedule of the Health Resources and Services Administration.

SYSTEM MANAGER(S) AND ADDRESS: Director, Countermeasures Injury Compensation Program, Healthcare Systems Bureau, Health Resources and Services Administration, 5600 Fishers Lane, Room 11C-06, Rockville, Maryland 20857, or the Director’s designee.

NOTIFICATION PROCEDURE: Requests must be made to the System Manager.

Requests by mail: Requests for information and/or access to records received by mail must contain information providing the identity of the writer, and a reasonable description of the record desired, and whom it concerns. Written requests must contain the name and address of the requester, his/her date of birth and his/her signature for comparison purposes. Requests must be notarized to verify the identity of the requester, or the requester must certify that (s)he is the individual who (s)he claims to be and that (s)he understands that to knowingly and willfully request or acquire a record pertaining to another individual under false pretenses is a criminal offense under the Privacy Act subject to a $5,000 fine (45 CFR 5b.5(b)(2)(ii)).

Requests in person: Record access procedures are the same as notification procedures. The requester should provide a reasonable description of the contents of the record being sought. Records will be mailed only to the requester’s address that is on file, unless a different address is demonstrated by official documentation. A parent or guardian who requests notification of, or access to, a minor/legally incompetent person's medical records must verify his/her relationship to the minor/legally incompetent person as well as his/her own identity and shall designate a family physician or other health professional (other than a family member) to whom the record, if any, will be sent.

Requests by telephone/ facsimile/ electronic mail: Since positive identification of the requester cannot be established, telephone, facsimile, or electronic mail (e-mail) requests will not be honored.

RECORD ACCESS PROCEDURES: Record access procedures are the same as Requests in Person procedures above.

CONTESTING RECORDS PROCEDURES: To contest a record in the system, contact the System Manager at the address specified above and reasonably identify the record, stipulate the information being contested, state the corrective action sought and the reason(s) for requesting the correction, along with supporting documentation to show how the record is inaccurate, incomplete, untimely, or irrelevant.

RECORD SOURCE CATEGORIES: Sources of records include, but are not limited to, countermeasure recipients and/ or their legal or personal representatives under the Countermeasures Injury Compensation Program, and any other sources of information or documentation submitted by any other person or entity for inclusion in a request for the purpose of determining medical or legal eligibility for, or amount of benefits and/or compensation under, the Program (e.g., Federal, State, or local government or private health care entities participating in the administration of covered countermeasures under a Secretarial declaration).

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT: None.