You are on page 1of 7

Federal Register / Vol. 71, No.

214 / Monday, November 6, 2006 / Notices 64955

FEDERAL RESERVE SYSTEM 225), and all other applicable statutes ACTION:Notice of a Modified or Altered
and regulations to become a bank System of Records (SOR).
Change in Bank Control Notices; holding company and/or to acquire the
Acquisition of Shares of Bank or Bank assets or the ownership of, control of, or SUMMARY: In accordance with the
Holding Companies the power to vote shares of a bank or requirements of the Privacy Act of 1974,
bank holding company and all of the we are proposing to modify or alter an
The notificants listed below have existing system of records titled
banks and nonbanking companies
applied under the Change in Bank ‘‘Common Working File (CWF),’’ System
owned by the bank holding company,
Control Act (12 U.S.C. 1817(j)) and No. 09–70–0526,’’ most recently
including the companies listed below.
§ 225.41 of the Board’s Regulation Y (12 The applications listed below, as well modified at 67 Federal Register (FR)
CFR 225.41) to acquire a bank or bank as other related filings required by the 3210 (January 23, 2002). We propose to
holding company. The factors that are Board, are available for immediate modify existing routine use number 1
considered in acting on the notices are inspection at the Federal Reserve Bank that permits disclosure to agency
set forth in paragraph 7 of the Act (12 indicated. The application also will be contractors and consultants to include
U.S.C. 1817(j)(7)). available for inspection at the offices of disclosure to CMS grantees who perform
The notices are available for the Board of Governors. Interested a task for the agency. CMS grantees,
immediate inspection at the Federal persons may express their views in charged with completing projects or
Reserve Bank indicated. The notices writing on the standards enumerated in activities that require CMS data to carry
also will be available for inspection at the BHC Act (12 U.S.C. 1842(c)). If the out that activity, are classified separate
the office of the Board of Governors. proposal also involves the acquisition of from CMS contractors and/or
Interested persons may express their a nonbanking company, the review also consultants. The modified routine use
views in writing to the Reserve Bank includes whether the acquisition of the will remain as routine use number 1.
indicated for that notice or to the offices We will delete routine use number 8
nonbanking company complies with the
of the Board of Governors. Comments authorizing disclosure to support
standards in section 4 of the BHC Act
must be received not later than constituent requests made to a
(12 U.S.C. 1843). Unless otherwise
November 21, 2006. congressional representative. If an
noted, nonbanking activities will be
A. Federal Reserve Bank of Chicago authorization for the disclosure has
conducted throughout the United States. been obtained from the data subject,
(Patrick M. Wilder, Assistant Vice Additional information on all bank
President) 230 South LaSalle Street, then no routine use is needed. The
holding companies may be obtained Privacy Act allows for disclosures with
Chicago, Illinois 60690-1414: from the National Information Center
1. David R. Barnes and Francesca the ‘‘prior written consent’’ of the data
Web site at http://www.ffiec.gov/nic/. subject. We will modify existing routine
DeRose, both of Racine, Wisconsin; Unless otherwise noted, comments
Nicolet DeRose, Kenosha, Wisconsin, use number 5 that permits disclosure to
regarding each of these applications
and Kari Barnes, Tigard, Oregon; to Peer Review Organizations (PRO).
must be received at the Reserve Bank
acquire voting shares of Wisconsin Organizations previously referred to as
indicated or the offices of the Board of
Bancshares, Inc., Kenosha, Wisconsin, PROs will be renamed to read: Quality
Governors not later than December 1,
and thereby indirectly acquire voting Improvement Organizations (QIO).
2006.
shares of Banks of Wisconsin, Kenosha, Information will be disclosed to QIOs
Wisconsin. A. Federal Reserve Bank of St. Louis relating to assessing and improving
B. Federal Reserve Bank of (Glenda Wilson, Community Affairs quality of care as well as proper
Minneapolis (Jacqueline G. King, Officer) 411 Locust Street, St. Louis, payment of claims. The modified
Community Affairs Officer) 90 Missouri 63166-2034: routine use will remain as routine use
Hennepin Avenue, Minneapolis, 1. The McGehee Bank Employee Stock number 5. We will broaden the scope of
Minnesota 55480-0291: Ownership Plan, McGehee, Arkansas; to routine uses number 10 and 11,
1. Karen K. Zaun, Saint Cloud, become a bank holding company by authorizing disclosures to combat fraud
Minnesota; to acquire voting shares of acquiring up to 28 percent of the voting and abuse in the Medicare and
Eden Valley Bancshares, Inc., Eden shares of Southeast Financial Bankstock Medicaid programs to include
Valley, Minnesota, and thereby Corporation, McGehee, Arkansas, and combating ‘‘waste’’ which refers to
indirectly acquire voting shares of State thereby indirectly acquire voting shares specific beneficiary/recipient practices
Bank in Eden Valley, Eden Valley, of McGehee Bank, McGehee, Arkansas. that result in unnecessary cost to all
Minnesota. Federally-funded health benefit
Board of Governors of the Federal Reserve
Board of Governors of the Federal Reserve System, November 1, 2006.
programs.
System, November 1, 2006. We are modifying the language in the
Jennifer J. Johnson,
remaining routine uses to provide a
Jennifer J. Johnson, Secretary of the Board. proper explanation as to the need for the
Secretary of the Board. [FR Doc. E6–18622 Filed 11–3–06; 8:45 am] routine use and to provide clarity to
[FR Doc. E6–18621 Filed 11–3–06; 8:45 am] BILLING CODE 6210–01–S CMS’s intention to disclose individual-
BILLING CODE 6210–01–S specific information contained in this
system. The routine uses will then be
DEPARTMENT OF HEALTH AND prioritized and reordered according to
FEDERAL RESERVE SYSTEM HUMAN SERVICES their usage. We will also take the
Formations of, Acquisitions by, and opportunity to update any sections of
Centers For Medicare & Medicaid the system that were affected by the
Mergers of Bank Holding Companies Services recent reorganization or because of the
rwilkins on PROD1PC63 with NOTICES

The companies listed in this notice impact of the Medicare Prescription


Privacy Act of 1974; Report of a
have applied to the Board for approval, Drug, Improvement, and Modernization
Modified or Altered System
pursuant to the Bank Holding Company Act of 2003 (MMA) (Public Law 108–
Act of 1956 (12 U.S.C. 1841 et seq.) AGENCY: Centers for Medicare & 173) provisions and to update language
(BHC Act), Regulation Y (12 CFR Part Medicaid Services, HHS. in the administrative sections to

VerDate Aug<31>2005 17:31 Nov 03, 2006 Jkt 211001 PO 00000 Frm 00036 Fmt 4703 Sfmt 4703 E:\FR\FM\06NON1.SGM 06NON1
64956 Federal Register / Vol. 71, No. 214 / Monday, November 6, 2006 / Notices

correspond with language used in other appointment, during regular business Any such disclosure of data is known as
CMS SORs. hours, Monday through Friday from 9 a ‘‘routine use.’’ The government will
The primary purpose of the system of a.m.–3 p.m., eastern time zone. only release CWF information that can
records is to properly pay medical FOR FURTHER INFORMATION CONTACT: be associated with an individual as
insurance benefits to or on behalf of Richard Wolfsheimer, Health Insurance provided for under ‘‘Section III.
entitled beneficiaries. Information in Specialist, Division of Systems Proposed Routine Use Disclosures of
this system will also be released to: (1) Operations, Business Applications Data in the System.’’ Both identifiable
Support regulatory and policy functions Management Group, Office of and non-identifiable data may be
performed within the Agency or by a Information Services, CMS, Room N2– disclosed under a routine use.
contractor, consultant, or grantee; (2) 08–18, 7500 Security Boulevard, We will only collect the minimum
assist another Federal or State agency, Baltimore, Maryland 21244–1850. The personal data necessary to achieve the
agency of a State government, an agency telephone number is 410–786–6160. purpose of CWF. CMS has the following
established by State law, or its fiscal SUPPLEMENTARY INFORMATION: policies and procedures concerning
agent; (3) assist third party contacts; (4) disclosures of information that will be
assist providers and suppliers of I. Description of the Modified or maintained in the system. Disclosure of
services directly or through fiscal Altered System of Records information from this system will be
intermediaries or carriers; (5) support A. Statutory and Regulatory Basis for approved only to the extent necessary to
Quality Improvement Organizations System accomplish the purpose of the
(QIO) or Quality Review Organizations; disclosure and only after CMS:
(6) assist insurance companies and other Authority for the maintenance of this 1. Determines that the use or
groups providing protection for their system of records is given under the disclosure is consistent with the reason
enrollees, or who are primary payers to authority of sections 1816, and 1874 of that the data is being collected, e.g., to
Medicare in accordance with 42 United Title XVIII of the Social Security Act (42 properly pay medical insurance benefits
States Code (U.S.C.) 1395y (b); (7) U.S.C. 1395h, and 1395kk). to or on behalf of entitled beneficiaries.
support an individual or organization B. Collection and Maintenance of Data 2. Determines:
for research, evaluation, or in the System a. That the purpose for which the
epidemiological projects; (8) support disclosure is to be made can only be
The system contains information on
litigation involving the Agency related accomplished if the record is provided
Medicare beneficiaries, on whose behalf
to this system of records; and (9) combat in individually identifiable form;
providers have submitted claims for
fraud, waste, and abuse in certain b. that the purpose for which the
reimbursement on a reasonable cost
Federally-funded health care programs. disclosure is to be made is of sufficient
basis under Medicare Part A and B, or
We have provided background importance to warrant the potential
are eligible, and/or individuals whose
information about the modified system effect and/or risk on the privacy of the
enrollment in an employer group health
in the ‘‘Supplementary Information’’ individual that additional exposure of
benefits plan covers the beneficiary.
section below. Although the Privacy Act the record might bring; and
Information contained in this system
requires only that CMS provide an c. that there is a strong probability
consist of billing for medical and other
opportunity for interested persons to that the proposed use of the data would
health care services, uniform bill for
comment on the routine uses, CMS in fact accomplish the stated purpose(s).
provider services or equivalent data in
invites comments on all portions of this 3. Requires the information recipient
an electronic format, and Medicare
notice. See EFFECTIVE DATES section for to:
Secondary Payer (MSP) records
comment period. a. Establish administrative, technical,
containing other third party liability
EFFECTIVE DATES: CMS filed a modified and physical safeguards to prevent
insurance information necessary for
or altered system report with the Chair unauthorized use of disclosure of the
appropriate Medicare claims payment
of the House Committee on Government record; and
and other documents used to support b. remove or destroy at the earliest
Reform and Oversight, the Chair of the payments to beneficiaries and providers
Senate Committee on Homeland time all patient-identifiable information.
of services. These forms contain the 4. Determines that the data are valid
Security & Governmental Affairs, and beneficiary’s name, sex, health
the Administrator, Office of Information and reliable.
insurance claim number (HIC), address,
and Regulatory Affairs, Office of date of birth, medical record number, III. Proposed Routine Use Disclosures
Management and Budget (OMB) on 10/ prior stay information, provider name of Data in the System
30/2006. To ensure that all parties have and address, physician’s name, and/or
adequate time in which to comment, the A. Entities Who May Receive
identification number, warranty Disclosures Under Routine Use
modified system, including routine information when pacemakers are
uses, will become effective 30 days from implanted or explanted, date of These routine uses specify
the publication of the notice, or 40 days admission or discharge, other health circumstances, in addition to those
from the date it was submitted to OMB insurance, diagnosis, surgical provided by statute in the Privacy Act
and Congress, whichever is later, unless procedures, and a statement of services of 1974, under which CMS may release
CMS receives comments that require rendered for related charges and other information from the CWF without the
alterations to this notice. data needed to substantiate claims. consent of the individual to whom such
ADDRESSES: The public should address information pertains. Each proposed
comments to: CMS Privacy Officer, II. Agency Policies, Procedures, and disclosure of information under these
Division of Privacy Compliance, Restrictions on The Routine Use routine uses will be evaluated to ensure
Enterprise Architecture and Strategy A. The Privacy Act permits us to that the disclosure is legally
rwilkins on PROD1PC63 with NOTICES

Group, Office of Information Services, disclose information without an permissible, including but not limited to
CMS, Room N2–04–27, 7500 Security individual’s consent if the information ensuring that the purpose of the
Boulevard, Baltimore, Maryland 21244– is to be used for a purpose that is disclosure is compatible with the
1850. Comments received will be compatible with the purpose(s) for purpose for which the information was
available for review at this location, by which the information was collected. collected. We propose to establish or

VerDate Aug<31>2005 17:31 Nov 03, 2006 Jkt 211001 PO 00000 Frm 00037 Fmt 4703 Sfmt 4703 E:\FR\FM\06NON1.SGM 06NON1
Federal Register / Vol. 71, No. 214 / Monday, November 6, 2006 / Notices 64957

modify the following routine use forgery, or unlawful negotiation of where the party to be contacted has, or
disclosures of information maintained Medicare reimbursement checks. is expected to have information relating
in the system: The United States Postal Service may to the individual’s capacity to manage
1. To agency contractors, consultants, require CWF data for investigating his or her affairs or to his or her
or grantees, who have been engaged by alleged forgery or theft of eligibility for, or an entitlement to,
the agency to assist in the performance reimbursement checks. benefits under the Medicare program
of a service related to this collection and The Railroad Retirement Board and,
who need to have access to the records requires CWF information to enable a. The individual is unable to provide
in order to perform the activity. them to assist in the implementation the information being sought (an
We contemplate disclosing and maintenance of the Medicare individual is considered to be unable to
information under this routine use only program. provide certain types of information
in situations in which CMS may enter SSA requires CWF data to enable when any of the following conditions
into a contractual or similar agreement them to assist in the implementation exists: the individual is confined to a
with a third party to assist in and maintenance of the Medicare mental institution, a court of competent
accomplishing CMS function relating to program. jurisdiction has appointed a guardian to
purposes for this system. The Internal Revenue Service may manage the affairs of that individual, a
require CWF data for the application of court of competent jurisdiction has
CMS occasionally contracts out
tax penalties against employers and declared the individual to be mentally
certain of its functions when doing so
employee organizations that contribute incompetent, or the individual’s
would contribute to effective and
to Employer Group Health Plan or Large attending physician has certified that
efficient operations. CMS must be able
Group Health Plans that are not in the individual is not sufficiently
to give a contractor, consultant or
compliance with 42 U.S.C. 1395y(b). mentally competent to manage his or
grantee whatever information is
Disclosure under this routine use
necessary for the contractor or her own affairs or to provide the
shall be used by State Medicaid
consultant to fulfill its duties. In these information being sought, the individual
agencies pursuant to agreements with
situations, safeguards are provided in cannot read or write, cannot afford the
HHS for administration of State
the contract prohibiting the contractor, cost of obtaining the information, a
supplementation payments for
consultant or grantee from using or language barrier exists, or the custodian
determinations of eligibility for
disclosing the information for any of the information will not, as a matter
Medicaid, for enrollment of welfare
purpose other than that described in the of policy, provide it to the individual),
recipients for medical insurance under
contract and requires the contractor, or
section 1843 of the Act, for quality
consultant or grantee to return or b. the data are needed to establish the
control studies, for determining
destroy all information at the validity of evidence or to verify the
eligibility of recipients of assistance
completion of the contract. accuracy of information presented by
under Titles IV, and XIX of the Act, and
Carriers and intermediaries for the complete administration of the the individual, and it concerns one or
occasionally work with contractors to Medicaid program. CWF data will be more of the following: The individual’s
identify and recover erroneous Medicare released to the State only on those entitlement to benefits under the
payments for which workers’ individuals who are patients under the Medicare program; and the amount of
compensation programs are liable. services of a Medicaid program within reimbursement; any case in which the
2. To another Federal or State agency, the State or who are residents of that evidence is being reviewed as a result of
agency of a State government, an agency State. suspected fraud, waste, and abuse,
established by State law, or its fiscal Occasionally State licensing boards program integrity, quality appraisal, or
agent pursuant to agreements with CMS require access to the CWF data for evaluation and measurement of program
to: review of unethical practices or activities.
a. Contribute to the accuracy of CMS’s nonprofessional conduct. Third parties contacts require CWF
proper payment of Medicare benefits, We also contemplate disclosing information in order to provide support
b. enable such agency to administer a information under this routine use in for the individual’s entitlement to
Federal health benefits program, or as situations in which State auditing benefits under the Medicare program; to
necessary to enable such agency to agencies require CWF information for establish the validity of evidence or to
fulfill a requirement of a Federal statute auditing of Medicare eligibility verify the accuracy of information
or regulation that implements a health considerations. Disclosure of presented by the individual or the
benefits program funded in whole or in physicians’ customary charge data are representative of the applicant, and
part with Federal funds, and/or made to State audit agencies in order to assist in the monitoring of Medicare
c. assist Federal/State Medicaid ascertain the corrections of Title XIX claims information of beneficiaries,
programs within the State. charges and payments. CMS may enter including proper reimbursement of
Other Federal or State agencies in into an agreement with State auditing services provided.
their administration of a Federal health agencies to assist in accomplishing Senior citizen volunteers working in
program may require CWF information functions relating to purposes for this the carriers and intermediaries’ offices
for the purposes of determining, system of records. to assist Medicare beneficiaries’ request
evaluating, and/or assessing cost, State and other governmental for assistance may require access to
effectiveness, and/or the quality of workers’ compensation agencies CWF information.
health care services provided in the working with CMS to assure that Occasionally fiscal intermediary/
State, to support evaluations and workers’ compensation payments are carrier banks, automated
monitoring of Medicare claims made where Medicare has erroneously clearinghouses, VANS, and provider
rwilkins on PROD1PC63 with NOTICES

information of beneficiaries, including paid and workers’ compensation banks, to the extent necessary transfer to
proper reimbursement for services programs are liable. providers electronic remittance advice
provided. 3. To third party contacts (without the of Medicare payments, and with respect
The Treasury Department may require consent of the individuals to whom the to provider banks, to the extent
CWF data for investigating alleged theft, information pertains) in situations necessary to provide account

VerDate Aug<31>2005 17:31 Nov 03, 2006 Jkt 211001 PO 00000 Frm 00038 Fmt 4703 Sfmt 4703 E:\FR\FM\06NON1.SGM 06NON1
64958 Federal Register / Vol. 71, No. 214 / Monday, November 6, 2006 / Notices

management services to providers using a. Certify that the individual about discover, detect, investigate, examine,
this information. whom the information is being provided prosecute, sue with respect to, defend
4. To providers and suppliers of is one of its insured or employees, or is against, correct, remedy, or otherwise
services dealing through fiscal insured and/or employed by another combat fraud, waste, or abuse in such
intermediaries or carriers for the entity for whom they serve as a TPA; program.
administration of Title XVIII of the Act. b. utilize the information solely for We contemplate disclosing
Providers and suppliers of services the purpose of processing the information under this routine use only
require CWF information in order to individual’s insurance claims; and in situations in which CMS may enter
establish the validity of evidence, or to c. safeguard the confidentiality of the into a contract or grant with a third
verify the accuracy of information data and prevent unauthorized access. party to assist in accomplishing CMS
presented by the individual as it Other insurers may require CWF functions relating to the purpose of
concerns the individual’s entitlement to information in order to support combating fraud, waste, or abuse.
benefits under the Medicare program, evaluations and monitoring of Medicare CMS occasionally contracts out
including proper reimbursement for claims information of beneficiaries, certain of its functions when doing so
services provided. including proper reimbursement for would contribute to effective and
Providers and suppliers of services services provided. efficient operations. CMS must be able
who are attempting to validate items on 7. To an individual or organization for to give a contractor or grantee whatever
which the amounts included in the research, evaluation, or epidemiological information is necessary for the
annual Physician/Supplier Payment projects related to the prevention of contractor or grantee to fulfill its duties.
List, or other similar publications are disease or disability, the restoration or In these situations, safeguards are
based. maintenance of health, or payment provided in the contract prohibiting the
5. To Quality Improvement related projects. contractor or grantee from using or
Organizations ( QIO) in connection with CWF data will provide for research, disclosing the information for any
review of claims, or in connection with evaluations and epidemiological purpose other than that described in the
studies or other review activities, projects, a broader, longitudinal, contract and requiring the contractor or
conducted pursuant to Part A and Part national perspective of the status of grantee to return or destroy all
B of Title XI of the Act and in Medicare beneficiaries. CMS anticipates information.
performing affirmative outreach that many researchers will have 10. To another Federal agency or to an
activities to individuals for the purpose legitimate requests to use these data in instrumentality of any governmental
of establishing and maintaining their projects that could ultimately improve jurisdiction within or under the control
entitlement to Medicare benefits or the care provided to Medicare of the United States (including any State
health insurance plans. beneficiaries and the policy that governs or local governmental agency), that
QIOs will work to implement quality the care. administers, or that has the authority to
improvement programs, provide 8. To the Department of Justice (DOJ), investigate potential fraud, waste, or
consultation to CMS, its contractors, court or adjudicatory body when: abuse in a health benefits program
and to State agencies. QIOs will assist a. The Agency or any component funded in whole or in part by Federal
the State agencies in related monitoring thereof, or funds, when disclosure is deemed
and enforcement efforts, assist CMS and b. any employee of the Agency in his reasonably necessary by CMS to
Intermediaries and Carriers in program or her official capacity, or prevent, deter, discover, detect,
integrity assessment, and prepare c. any employee of the Agency in his investigate, examine, prosecute, sue
summary information for release to or her individual capacity where the with respect to, defend against, correct,
CMS. DOJ has agreed to represent the remedy, or otherwise combat fraud or
6. To insurance companies, employee, or abuse in such programs.
underwriters, third party administrators d. the United States Government, is a Other agencies may require CWF
(TPA), employers, self-insurers, group party to litigation or has an interest in information for the purpose of
health plans, health maintenance such litigation, and by careful review, combating fraud, waste, and abuse in
organizations (HMO), health and CMS determines that the records are such Federally-funded programs.
welfare benefit funds, managed care both relevant and necessary to the
organizations, other supplemental litigation and that the use of such B. Additional Circumstances Affecting
insurers, non-coordinating insurers, records is deemed by the Agency to be Routine Use Disclosures
multiple employer trusts, liability for a purpose that is compatible with the To the extent this system contains
insurers, no-fault medical automobile purposes for which the Agency Protected Health Information (PHI) as
insurers, workers’ compensation carriers collected the records. defined by HHS regulation ‘‘Standards
or plans, other groups providing Whenever CMS is involved in for Privacy of Individually Identifiable
protection against medical expenses litigation, or occasionally when another Health Information’’ (45 CFR Parts 160
without the beneficiary’s authorization, party is involved in litigation and CMS’s and 164, Subparts A and E) 65 FR 82462
and any entity having knowledge of the policies or operations could be affected (12–28–00). Disclosures of such PHI that
occurrence of any event affecting (a) An by the outcome of the litigation, CMS are otherwise authorized by these
individual’s right to any such benefit or would be able to disclose information to routine uses may only be made if, and
payment, or (b) the initial right to any the DOJ, court or adjudicatory body as, permitted or required by the
such benefit or payment, for the purpose involved. ‘‘Standards for Privacy of Individually
of coordination of benefits with the 9. To a CMS contractor (including, but Identifiable Health Information.’’ (See
Medicare program and implementation not limited to fiscal intermediaries and 45 CFR 164–512 (a) (1)).
of the MSP provision at 42 U.S.C. carriers) that assists in the In addition, our policy will be to
rwilkins on PROD1PC63 with NOTICES

1395y(b). Information to be disclosed administration of a CMS-administered prohibit release even of data not directly
shall be limited to Medicare utilization health benefits program, or to a grantee identifiable, except pursuant to one of
data necessary to perform that specific of a CMS-administered grant program, the routine uses or if required by law,
function. In order to receive the when disclosure is deemed reasonably if we determine there is a possibility
information, they must agree to: necessary by CMS to prevent, deter, that an individual can be identified

VerDate Aug<31>2005 17:31 Nov 03, 2006 Jkt 211001 PO 00000 Frm 00039 Fmt 4703 Sfmt 4703 E:\FR\FM\06NON1.SGM 06NON1
Federal Register / Vol. 71, No. 214 / Monday, November 6, 2006 / Notices 64959

through implicit deduction based on whose data are maintained in the insurance, diagnosis, surgical
small cell sizes (instances where the system. CMS will collect only that procedures, and a statement of services
patient population is so small that information necessary to perform the rendered for related charges and other
individuals could, because of the small system’s functions. In addition, CMS data needed to substantiate claims.
size, use this information to deduce the will make disclosure from the proposed
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
identity of the beneficiary). system only with consent of the subject
individual, or his/her legal Authority for the maintenance of this
IV. Safeguards system of records is given under the
representative, or in accordance with an
CMS has safeguards in place for applicable exception provision of the authority of sections 1816, and 1874 of
authorized users and monitors such Privacy Act. CMS, therefore, does not Title XVIII of the Social Security Act (42
users to ensure against unauthorized anticipate an unfavorable effect on United States Code (U.S.C.) 1395h, and
use. Personnel having access to the individual privacy as a result of 1395kk).
system have been trained in the Privacy information relating to individuals.
Act and information security PURPOSE(S) OF THE SYSTEM:
requirements. Employees who maintain Dated: October 24, 2006. The primary purpose of the system of
records in this system are instructed not John R. Dyer, records is to properly pay medical
to release data until the intended Chief Operating Officer, Centers for Medicare insurance benefits to or on behalf of
recipient agrees to implement & Medicaid Services. entitled beneficiaries. Information in
appropriate management, operational System No. 09–70–0526
this system will also be released to: (1)
and technical safeguards sufficient to Support regulatory and policy functions
protect the confidentiality, integrity and SYSTEM NAME: performed within the Agency or by a
availability of the information and • Common Working File (CWF),’’ contractor, consultant, or grantee; (2)
information systems and to prevent HHS/CMS/OIS. assist another Federal or State agency,
unauthorized access. agency of a State government, an agency
This system will conform to all SECURITY CLASSIFICATION:
established by State law, or its fiscal
applicable Federal laws and regulations Level Three Privacy Act Sensitive agent; (3) assist third party contacts; (4)
and Federal, HHS, and CMS policies Data. assist providers and suppliers of
and standards as they relate to SYSTEM LOCATION: services directly or through fiscal
information security and data privacy. intermediaries or carriers; (5) support
The Centers for Medicare & Medicaid
These laws and regulations may apply Quality Improvement Organizations
Services (CMS) Data Center, 7500
but are not limited to: The Privacy Act (QIO) or Quality Review Organizations;
Security Boulevard, North Building,
of 1974; the Federal Information (6) assist insurance companies and other
First Floor, Baltimore, Maryland 21244–
Security Management Act of 2002; the groups providing protection for their
1850 and at CMS Host Sites located in
Computer Fraud and Abuse Act of 1986; enrollees, or who are primary payers to
Birmingham, Alabama, and Dallas,
the Health Insurance Portability and Medicare in accordance with 42 U.S.C.
Texas.
Accountability Act of 1996; the E– 1395y (b); (7) support an individual or
Government Act of 2002, the Clinger- CATEGORIES OF INDIVIDUALS COVERED BY THE organization for research, evaluation, or
Cohen Act of 1996; the Medicare SYSTEM: epidemiological projects; (8) support
Modernization Act of 2003, and the The system contains information on litigation involving the Agency related
corresponding implementing Medicare beneficiaries, on whose behalf to this system of records; and (9) combat
regulations. OMB Circular A–130, providers have submitted claims for fraud, waste, and abuse in certain
Management of Federal Resources, reimbursement on a reasonable cost Federally-funded health care programs.
Appendix III, Security of Federal basis under Medicare Part A and B, or
Automated Information Resources also ROUTINE USES OF RECORDS MAINTAINED IN THE
are eligible, and/or individuals whose
SYSTEM, INCLUDING CATEGORIES OR USERS AND
applies. Federal, HHS, and CMS enrollment in an employer group health
THE PURPOSES OF SUCH USES:
policies and standards include but are benefits plan covers the beneficiary.
not limited to: All pertinent National A. Entities Who May Receive
CATEGORIES OF RECORDS IN THE SYSTEM: Disclosures Under Routine Use
Institute of Standards and Technology
publications; the HHS Information Information contained in this system These routine uses specify
Systems Program Handbook and the consist of billing for medical and other circumstances, in addition to those
CMS Information Security Handbook. health care services, uniform bill for provided by statute in the Privacy Act
provider services or equivalent data in of 1974, under which CMS may release
V. Effects of the Modified System of an electronic format, and Medicare information from the CWF without the
Records on Individual Rights Secondary Payer (MSP) records consent of the individual to whom such
CMS proposes to modify this system containing other third party liability information pertains. Each proposed
in accordance with the principles and insurance information necessary for disclosure of information under these
requirements of the Privacy Act and will appropriate Medicare claims payment routine uses will be evaluated to ensure
collect, use, and disseminate and other documents used to support that the disclosure is legally
information only as prescribed therein. payments to beneficiaries and providers permissible, including but not limited to
Data in this system will be subject to the of services. These forms contain the ensuring that the purpose of the
authorized releases in accordance with beneficiary’s name, sex, health disclosure is compatible with the
the routine uses identified in this insurance claim number (HIC), address, purpose for which the information was
system of records. date of birth, medical record number, collected. We propose to establish or
CMS will take precautionary prior stay information, provider name modify the following routine use
rwilkins on PROD1PC63 with NOTICES

measures (see item IV above) to and address, physician’s name, and/or disclosures of information maintained
minimize the risks of unauthorized identification number, warranty in the system:
access to the records and the potential information when pacemakers are 1. To agency contractors, consultants,
harm to individual privacy or other implanted or explanted, date of or grantees, who have been engaged by
personal or property rights of patients admission or discharge, other health the agency to assist in the performance

VerDate Aug<31>2005 17:31 Nov 03, 2006 Jkt 211001 PO 00000 Frm 00040 Fmt 4703 Sfmt 4703 E:\FR\FM\06NON1.SGM 06NON1
64960 Federal Register / Vol. 71, No. 214 / Monday, November 6, 2006 / Notices

of a service related to this collection and 5. To Quality Improvement litigation and that the use of such
who need to have access to the records Organizations ( QIO) in connection with records is deemed by the Agency to be
in order to perform the activity. review of claims, or in connection with for a purpose that is compatible with the
2. To another Federal or State agency, studies or other review activities, purposes for which the Agency
agency of a State government, an agency conducted pursuant to Part A and Part collected the records.
established by State law, or its fiscal B of Title XI of the Act and in
agent pursuant to agreements with CMS 9. To a CMS contractor (including, but
performing affirmative outreach
to: not limited to fiscal intermediaries and
activities to individuals for the purpose
a. Contribute to the accuracy of CMS’s of establishing and maintaining their carriers) that assists in the
proper payment of Medicare benefits, entitlement to Medicare benefits or administration of a CMS-administered
b. enable such agency to administer a health insurance plans. health benefits program, or to a grantee
Federal health benefits program, or as 6. To insurance companies, of a CMS-administered grant program,
necessary to enable such agency to underwriters, third party administrators when disclosure is deemed reasonably
fulfill a requirement of a Federal statute (TPA), employers, self-insurers, group necessary by CMS to prevent, deter,
or regulation that implements a health health plans, health maintenance discover, detect, investigate, examine,
benefits program funded in whole or in organizations (HMO), health and prosecute, sue with respect to, defend
part with Federal funds, and/or welfare benefit funds, managed care against, correct, remedy, or otherwise
c. assist Federal/State Medicaid organizations, other supplemental combat fraud, waste, or abuse in such
programs within the State. insurers, non-coordinating insurers, program.
3. To third party contacts (without the
multiple employer trusts, liability 10. To another Federal agency or to an
consent of the individuals to whom the
insurers, no-fault medical automobile instrumentality of any governmental
information pertains) in situations
insurers, workers’ compensation carriers jurisdiction within or under the control
where the party to be contacted has, or
or plans, other groups providing
is expected to have information relating of the United States (including any State
protection against medical expenses
to the individual’s capacity to manage or local governmental agency), that
without the beneficiary’s authorization,
his or her affairs or to his or her administers, or that has the authority to
and any entity having knowledge of the
eligibility for, or an entitlement to, investigate potential fraud, waste, or
occurrence of any event affecting (a) An
benefits under the Medicare program abuse in a health benefits program
individual’s right to any such benefit or
and, funded in whole or in part by Federal
a. The individual is unable to provide payment, or (b) the initial right to any
such benefit or payment, for the purpose funds, when disclosure is deemed
the information being sought (an reasonably necessary by CMS to
individual is considered to be unable to of coordination of benefits with the
Medicare program and implementation prevent, deter, discover, detect,
provide certain types of information investigate, examine, prosecute, sue
when any of the following conditions of the MSP provision at 42 U.S.C. 1395y
(b). Information to be disclosed shall be with respect to, defend against, correct,
exists: The individual is confined to a
limited to Medicare utilization data remedy, or otherwise combat fraud,
mental institution, a court of competent
necessary to perform that specific waste, or abuse in such programs.
jurisdiction has appointed a guardian to
manage the affairs of that individual, a function. In order to receive the B. Additional Circumstances
court of competent jurisdiction has information, they must agree to: Affecting Routine Use Disclosures
a. Certify that the individual about
declared the individual to be mentally To the extent this system contains
whom the information is being provided
incompetent, or the individual’s Protected Health Information (PHI) as
is one of its insured or employees, or is
attending physician has certified that defined by HHS regulation ‘‘Standards
insured and/or employed by another
the individual is not sufficiently for Privacy of Individually Identifiable
entity for whom they serve as a TPA;
mentally competent to manage his or b. utilize the information solely for Health Information’’ (45 CFR Parts 160
her own affairs or to provide the the purpose of processing the and 164, Subparts A and E) 65 Federal
information being sought, the individual individual’s insurance claims; and Register 82462 (12–28–00). Disclosures
cannot read or write, cannot afford the c. safeguard the confidentiality of the of such PHI that are otherwise
cost of obtaining the information, a data and prevent unauthorized access. authorized by these routine uses may
language barrier exist, or the custodian 7. To an individual or organization for
of the information will not, as a matter only be made if, and as, permitted or
research, evaluation, or epidemiological required by the ‘‘Standards for Privacy
of policy, provide it to the individual), projects related to the prevention of
or of Individually Identifiable Health
disease or disability, the restoration or Information.’’ (See 45 CFR 164–
b. the data are needed to establish the maintenance of health, or payment
validity of evidence or to verify the 512(a)(1)).
related projects.
accuracy of information presented by 8. To the Department of Justice (DOJ), In addition, our policy will be to
the individual, and it concerns one or court or adjudicatory body when: prohibit release even of data not directly
more of the following: The individual’s a. The Agency or any component identifiable, except pursuant to one of
entitlement to benefits under the thereof, or the routine uses or if required by law,
Medicare program; and the amount of b. any employee of the Agency in his if we determine there is a possibility
reimbursement; any case in which the or her official capacity, or that an individual can be identified
evidence is being reviewed as a result of c. any employee of the Agency in his through implicit deduction based on
suspected fraud, waste, and abuse, or her individual capacity where the small cell sizes (instances where the
program integrity, quality appraisal, or DOJ has agreed to represent the patient population is so small that
evaluation and measurement of program employee, or
rwilkins on PROD1PC63 with NOTICES

d. the United States Government, is a individuals could, because of the small


activities.
4. To providers and suppliers of party to litigation or has an interest in size, use this information to deduce the
services dealing through fiscal such litigation, and by careful review, identity of the beneficiary).
intermediaries or carriers for the CMS determines that the records are
administration of Title XVIII of the Act. both relevant and necessary to the

VerDate Aug<31>2005 17:31 Nov 03, 2006 Jkt 211001 PO 00000 Frm 00041 Fmt 4703 Sfmt 4703 E:\FR\FM\06NON1.SGM 06NON1
Federal Register / Vol. 71, No. 214 / Monday, November 6, 2006 / Notices 64961

POLICIES AND PRACTICES FOR STORING, SYSTEM MANAGER AND ADDRESS: DEPARTMENT OF HEALTH AND
RETRIEVING, ACCESSING, RETAINING, AND HUMAN SERVICES
DISPOSING OF RECORDS IN THE SYSTEM:
Director, Division of Systems
Operations, Business Applications
STORAGE: Management Group, Office of Centers For Medicare & Medicaid
Information Services, CMS, Room N2– Services
Records are maintained on paper,
computer diskette and on magnetic 08–18, 7500 Security Boulevard, Privacy Act of 1974; Report of a
storage media. Baltimore, Maryland 21244–1850. Modified or Altered System of Records
RETRIEVABILITY: NOTIFICATION PROCEDURE: AGENCY: Centers for Medicare &
Information can be retrieved by the For purpose of access, the subject Medicaid Services, HHS.
beneficiary’s name, HIC, and assigned individual should write to the system ACTION: Notice of a modified or altered
unique physician identification number. manager who will require the system system of records (SOR).
SAFEGUARDS:
name, assigned card key number, and
SUMMARY: In accordance with the
building/secure area, and for
CMS has safeguards in place for verification purposes, the subject Privacy Act of 1974, we are proposing
authorized users and monitors such individual’s name (woman’s maiden to modify or alter an existing SOR,
users to ensure against unauthorized name, if applicable), and SSN. ‘‘Intermediary Medicare Claims Record
use. Personnel having access to the Furnishing the SSN is voluntary, but it (IMCR) System,’’ System No. 09–70–
system have been trained in the Privacy may make searching for a record easier 0503, last published at 67 Federal
Act and information security and prevent delay. Register 65982 (October 29, 2002). We
requirements. Employees who maintain propose to change the name of this
records in this system are instructed not RECORD ACCESS PROCEDURE: system to more closely reflect the name
to release data until the intended of the program used for the processing
recipient agrees to implement For purpose of access, use the same of Part A claims. We will modify the
appropriate management, operational procedures outlined in Notification name to read: ‘‘Fiscal Intermediary
and technical safeguards sufficient to Procedures above. Requestors should Shared System (FISS).’’ We propose to
protect the confidentiality, integrity and also specify the record contents being modify existing routine use number 1
availability of the information and sought. (These procedures are in that permits disclosure to agency
information systems and to prevent accordance with department regulation contractors and consultants to include
unauthorized access. 45 CFR 5b.5(a)(2)). disclosure to CMS grantees who perform
This system will conform to all a task for the agency. CMS grantees,
CONTESTING RECORDS PROCEDURES:
applicable Federal laws and regulations charged with completing projects or
and Federal, HHS, and CMS policies The subject individual should contact activities that require CMS data to carry
and standards as they relate to the system manager named above, and out that activity, are classified separate
information security and data privacy. reasonably identify the records and from CMS contractors and/or
These laws and regulations may apply specify the information to be contested. consultants. The modified routine use
but are not limited to: the Privacy Act State the corrective action sought and will remain as routine use number 1.
of 1974; the Federal Information the reasons for the correction with We will delete routine use number 8
Security Management Act of 2002; the supporting justification. (These authorizing disclosure to support
Computer Fraud and Abuse Act of 1986; Procedures are in accordance with constituent requests made to a
the Health Insurance Portability and Department regulation 45 CFR 5b.7). congressional representative. If an
Accountability Act of 1996; the E- authorization for the disclosure has
Government Act of 2002, the Clinger- RECORDS SOURCE CATEGORIES: been obtained from the data subject,
Cohen Act of 1996; the Medicare Sources of information contained in then no routine use is needed. The
Modernization Act of 2003, and the this records system is furnished by the Privacy Act allows for disclosures with
corresponding implementing individual. In most cases, the the ‘‘prior written consent’’ of the data
regulations. OMB Circular A–130, identifying information is provided to subject. We will broaden the scope of
Management of Federal Resources, the physician by the individual. routine uses number 10 and 11,
Appendix III, Security of Federal Information is obtained from other CMS authorizing disclosures to combat fraud
Automated Information Resources also systems of records and data systems: and abuse in the Medicare and
applies. Federal, HHS, and CMS Health Insurance Master Record, Medicaid programs to include
policies and standards include but are Intermediary Medicare Claims Records, combating ‘‘waste’’ which refers to
not limited to: All pertinent National Carrier Medicare Claims Records, MSP specific beneficiary/recipient practices
Institute of Standards and Technology Record, Third Party Liability Record, that result in unnecessary cost to all
publications; the HHS Information Medicare Entitlement Record, Health Federally-funded health benefit
Systems Program Handbook and the Maintenance Organization Record, programs.
CMS Information Security Handbook. Hospice Record, and in the case of some We are modifying the language in the
MSP situations, through third party remaining routine uses to provide a
RETENTION AND DISPOSAL: proper explanation as to the need for the
contacts. The medical information is
Records are maintained in a secure provided by the providers of medical routine use and to provide clarity to
storage area with identifiers. Records are services. CMS’s intention to disclose individual-
closed at the end of the calendar year in specific information contained in this
which paid, then destroyed 6 years and system. The routine uses will then be
rwilkins on PROD1PC63 with NOTICES

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS


3 months after final payment/action. All OF THE ACT: prioritized and reordered according to
claims-related records are encompassed their usage. We will also take the
None.
by the document preservation order and opportunity to update any sections of
will be retained until notification is [FR Doc. E6–18611 Filed 11–3–06; 8:45 am] the system that were affected by the
received from DOJ. BILLING CODE 4120–03–P recent reorganization or because of the

VerDate Aug<31>2005 17:31 Nov 03, 2006 Jkt 211001 PO 00000 Frm 00042 Fmt 4703 Sfmt 4703 E:\FR\FM\06NON1.SGM 06NON1

You might also like