System of Record Notice 09-15-0056

SYSTEM NAME AND NUMBER: Injury Compensation Programs, HHS/HRSA/HSB, 09-15-0056.

SECURITY CLASSIFICATION: Unclassified.

SYSTEM LOCATION: Healthcare Systems Bureau (HSB), Health Resources and Services Administration (HRSA), 5600 Fishers Lane, Room 8N46B, Rockville, Maryland 20857.

SYSTEM MANAGER(S): Director, Division of Injury Compensation Programs, Healthcare Systems Bureau, Health Resources and Services Administration, 5600 Fishers Ln., Rm. 8N146B, Rockville, MD 20857, or the Director’s designee.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

National Vaccine Injury Compensation Program (VICP): National Childhood Vaccine Injury Act of 1986, as amended (Vaccine Act), 42 U.S.C. 300aa–10, et seq.

Countermeasures Injury Compensation Program (CICP): Public Readiness and Emergency Preparedness Act of 2005 (PREP Act), 42 U.S.C. 247d– 6e.

PURPOSE(S) OF THE SYSTEM: VICP records are used to determine eligibility of petitioners to receive compensation, and to compensate successful petitioners in the amount and in the manner determined by the U.S. Court of Federal Claims (Court). CICP records are used to determine eligibility for benefits and to provide benefits to certain individuals who have sustained a covered injury as a result of the administration or use of a covered countermeasure, and to provide benefits to the survivors and/or estates of deceased injured countermeasure recipients. Note that any overpayment or other debt-related information arising from VICP or CICP may be used and disclosed for debt management and collection purposes as described in the SORN published for HHS’ Debt Management and Collection System, System No. 09–40–0012, last published in full at 63 FR 68596 (Dec. 11, 1998), updated at 80 FR 67767 (Nov. 3, 2015) and 83 FR 6591 (Feb. 14, 2018).

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: 

The records in this system of records are about:

• Individuals (Petitioners) who file claims with the National Vaccine Injury Compensation Program (VICP); and
• Individuals (Petitioners) who request benefits from the Countermeasures Injury Compensation Program (CICP) or their representatives.

CATEGORIES OF RECORDS IN THE SYSTEM: 

The records consist of medical records, including medical expense records, employment records, and other documents used to support injury compensation claims and to make program recommendations and decisions. Records may contain the following information about each category of individual:

• VICP petitioners: Claim or petition for compensation, including petitioner's name and name of person vaccinated if different from petitioner, and all relevant medical records (including autopsy reports and slides, radiological films, and home videos, if any), assessments, evaluations, prognoses, and such other records and documents as are reasonably necessary for the determination of eligibility for and the amount of compensation to be paid to, or on behalf of, the person who suffered such injury or who died from the administration of the vaccine, payment information, general or congressional correspondence, Department of Health and Human Services (HHS) responses to correspondence, and other related case processing documents.
• CICP requesters: Request for benefits, including requester's name and name of injured countermeasure recipient if different from requester, case number assignment, medical and legal documentation, employment documentation, documentation concerning services or benefits available from the United States or any third party (including any state or local governmental entity, private insurance carrier, or employer), payment information, general or congressional correspondence, HHS responses to correspondence, and other related case processing documents.

RECORD SOURCE CATEGORIES: Records about a VICP petitioner are obtained from the petitioner, petitioner’s legal representative, health care providers, and other interested persons. Records about a CICP requester are obtained from the requester, requester’s representative, health care providers, and other interested persons. Sources of VICP records include, but are not limited to the petitioner, petitioner’s legal representative, health care providers and other interested parties. Sources of CICP records include, but are not limited to, countermeasure recipients and/or their legal or personal representatives under the Countermeasures Injury Compensation Program, and any other sources of information or documentation submitted by any other person or entity for inclusion in a request for the purpose of determining eligibility for, or amount of benefits and/or compensation under, the Program (e.g., federal, state, or local government or private health care entities participating in the administration of covered countermeasures under a Secretarial declaration).

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

Information about an individual VICP petitioner or CICP requester may be disclosed from this system of records to parties outside the agency without the individual's prior, written consent pursuant to these routine uses:

1. Records may be disclosed to an agency contractor, another federal agency, agency consultants, or others who have been engaged by HHS to assist with accomplishment of an HHS function relating to the purposes of this system of records and who need to have access to the records in order to assist HHS. For example:
   • HRSA will contract with expert medical consultants to obtain advice on petitioner's eligibility for compensation. To the extent necessary, relevant records may be disclosed to such consultants. The consultants shall be required to maintain Privacy Act safeguards concerning such records and return all records to HRSA.
   • To the extent necessary, a record may be disclosed to agency contractors for the purpose of providing medical review, analysis, and determination as to whether petitions meet the medical requirements for compensation. Contractors will be required to maintain Privacy Act safeguards concerning such records.
   • Disclosure of records may be made to contractors engaged by the Department who need access to the records to assist the Department in evaluating the effectiveness of the CICP.
2. Disclosure may be made to federal, state, or local government entities or to private entities for the purpose of requesting, and enabling them to locate and provide information relevant to medical, legal, or financial (e.g., insurance, payment) documentation required for determinations of eligibility or payment.
3. A record may be disclosed to researchers for a scientific research purpose, only when the Department has determined:
   • That the use or disclosure does not violate legal or policy limitations under which the record was provided, collected, or obtained;
   • That the research purpose is consistent with the purpose for which the program was formed;
   • That the proposed research is scientifically sound in its methods and analyses and is likely to answer the proposed research question;
   • That the information sought is not available from any other source;
   • That the record made available for scientific research is redacted of all personal identifiers regarding injured individuals, health care practitioners, and employers that are not essential for the accomplishment of the approved research purpose, and;
   • That the recipient of records for scientific research purposes:
     • Establishes strict limitations acceptable to the Department concerning the receipt and use of any patient-identifiable data;
     • Establishes reasonable administrative, technical, and physical safeguards and/or protocols acceptable to the Department to protect the confidentiality of the data and to prevent the unauthorized use or disclosure of the record;
     • Removes or destroys the information that identifies an individual at the earliest time that removal or destruction can be accomplished consistent with the purpose of the research project;
     • Makes no further use or disclosure of the record, except when required by law; and
     • Provides a written statement (approved by the agency) attesting to the recipient's understanding of, and agreement to abide by, these conditions of disclosure and that violation of these provisions is subject to penalties set forth under 5 U.S.C. 552a(i)(3) and any other applicable federal law.
4. Records may be disclosed to the Department of Justice (DOJ) or to a court or other tribunal when: (a) HHS or any of its components; or (b) any employee of HHS acting in the employee's official capacity; or (c) any employee of HHS acting in the employee's individual capacity where the DOJ or HHS has agreed to represent the employee; or (d) the United States Government, is a party to a proceeding or has an interest in such proceeding and the disclosure of such records is deemed by the agency to be relevant and necessary to the proceeding. For example:
   • HRSA will release the petitioner's complete medical file and may release a consultant(s)' report to the DOJ and the court for adjudication of a VICP compensation claim.
5. Disclosures may be made to a congressional office from the record of an individual, in response to a written inquiry from the congressional office made at the written request of the individual or his/her legal or personal representative.
6. Where a record, either alone or in combination with other information, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or particular program statute or by regulation, rule, or order issued pursuant thereto, the relevant records may be referred to the appropriate agency, whether federal, state, local, tribal, territorial, or foreign, charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, rule, regulation, or order issued pursuant thereto.
7. Records may be disclosed to appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records, (2) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the federal government, or national security, and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.
8. Records may be disclosed to another federal agency or federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in:
   • Responding to a suspected or confirmed breach; or
   • Preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the federal government, or national security, resulting from a suspected or confirmed breach.
9. To the extent necessary, a record may be disclosed for the purpose of ensuring that a government reversionary trust or government-owned annuity established in connection with a program award or benefit is being properly administered. Such disclosures may be made to institutions serving as trustees and medical administrators concerning such trusts, to insurance companies administering such government-owned annuities, to individuals serving as guardians of the estate of individuals compensated by the program, and to attorneys representing such parties (or representing local, state, tribal, territorial, foreign, and the federal government). Organizations or individuals to which information is disclosed for this use will be required to maintain Privacy Act safeguards concerning such records.  Records may also be disclosed for the same purpose to courts of competent jurisdiction in which trust administration or government-owned annuity issues arising out of program claims are raised.
10. Consistent with its obligation under the Vaccine Act, HRSA will disclose for publication in the Federal Register the following information from VICP records: The name of the petitioner; the name of the person vaccinated, if not the petitioner; the city and State where the vaccine was administered (if unknown, then the city and state of the person or attorney filing the claim); and the court's docket number.
11. VICP records may be disclosed to organizations deemed qualified by the Secretary of Health and Human Services (Secretary) for the purpose of evaluating the administration, process, or outcomes of the VICP (as required by Congress). The purpose of the disclosure is to document the extent to which the VICP is satisfying the goals and objectives of its authorizing legislation, i.e., maintaining a system for compensating those who have been injured by a vaccine that is fair and expeditious.  Organizations to which information is disclosed for this use shall be required to maintain Privacy Act safeguards concerning such records.
12. To the extent necessary, VICP records may be disclosed to annuity brokers, reversionary trust banks/trustees, and to employees of life insurance companies to obtain financial advice and for the purchase of contracts to provide compensation to eligible petitioners under the Program. Organizations to which information is disclosed for this use will be required to maintain Privacy Act safeguards concerning such records and return all records to HRSA without retaining any copies.
13. Disclosure of records may be made to individuals and/or entities as necessary for the purposes of obtaining financial advice and providing benefits to requesters approved for payment under the CICP. All individuals and/or entities permitted disclosure for this use shall be required to maintain Privacy Act safeguards with respect to such records and return all records to HRSA without retaining any copies.

The disclosures authorized by publication of the above routine uses pursuant to 5 U.S.C. 552a(b)(3) are in addition to other disclosures authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(4)–(11).

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Records are stored in the Injury Compensation System, portable electronic media storage, and paper file folders.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS: 

• VICP: Records are retrieved by the name of the petitioner and/or the name of the individual vaccinated.
• CICP: Records are retrieved by the name of the requester and/or the individual who was administered or used a countermeasure. 

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS: Records are disposed of 25 years after the case file is closed, in accordance with records disposition schedule N1– 512–96–1.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

1. Authorized Users: Access is limited to the System Manager, authorized HRSA/HSB personnel responsible for administering these programs, and authorized HHS Office of the General Counsel personnel responsible for advising these programs. HRSA/HSB maintains a current list of authorized users.
2. Physical safeguards: All hard copy files are stored in filing cabinets, which are kept in locked and secured rooms during non-work hours; portable electronic storage and computer equipment are retained in areas where fire and safety codes are strictly enforced.  All electronic and hard copy documents are protected on a 24-hour basis in security areas.  Security guards perform random checks of the physical security of the record storage area.
3. Procedural safeguards: HRSA/HSB has established stringent safeguards in line with the sensitivity of the records. These include: Transmitting records to consultants by Federal Express, United Parcel Service, or another courier service to ensure that a signature is required upon receipt of the records; escorting visitors into areas where records are maintained; utilizing two-factor authentication for computer access; and securing areas where records are stored. Job-specific assigned roles control the release of data only to authorized users. All users of personal information in connection with the performance of their jobs protect information from public view and unauthorized personnel entering an unsupervised office.
4. Risk assessment: Risk assessments and continuous monitoring activities ensure that vulnerabilities, risks, and other security concerns are identified and addressed in the system design and throughout the life cycle of the project.

RECORD ACCESS PROCEDURES: Record access procedures are the same as Requests in Person procedures above.

CONTESTING RECORDS PROCEDURES: To contest a record in the system, contact the System Manager at the address specified above and reasonably identify the record, stipulate the information being contested, state the corrective action sought and the reason(s) for requesting the correction, along with supporting documentation to show how the record is inaccurate, incomplete, untimely, or irrelevant.

NOTIFICATION PROCEDURES: Requests must be made to the System Manager.

Requests by mail: Requests for information and/or access to records received by mail must contain information providing the identity of the writer, and a reasonable description of the record desired, and who it concerns. Written requests must contain the name and address of the requester, his/her date of birth and his/her signature for comparison purposes. Requests must be notarized to verify the identity of the requester, or the requester must certify that (s)he is the individual who (s)he claims to be and that (s)he understands that to knowingly and willfully request or acquire a record pertaining to another individual under false pretenses is a criminal offense under the Privacy Act subject to a $5,000 fine. The requester should provide a reasonable description of the contents of the record being sought. Records will be mailed only to the requester's address that is on file unless a different address is demonstrated by official documentation. 

Requests in person: An individual who makes a request in person shall provide to the System Manager at least one piece of tangible identification such as a driver's license, passport, alien or voter registration card, or union card to verify his/her identity. If an individual does not have identification papers to verify identity, (s)he must certify in writing that (s)he is the individual (s)he claims to be and that (s)he understands that the knowing and willful request for, or acquisition of, a record pertaining to an individual under false pretenses is a criminal offense subject to a $5,000 fine. 

Requests on behalf of a minor/legally incompetent person: A parent or guardian who makes a request on behalf of a minor/legally incompetent person must verify his/her relationship to the minor/legally incompetent person as well as his/her own identity. If requesting a minor or legally incompetent person's medical records, the parent or guardian of a minor/legally incompetent person must designate a family physician or other health professional (other than a family member) to whom the records, if any, will be sent. 

Requests by telephone/facsimile/electronic mail: Since positive identification of the requester cannot be established, telephone, facsimile, or electronic mail (email) requests will not be honored.

EXEMPTIONS PROMULGATED FOR THE SYSTEM: None.

HISTORY: 75 FR 60468 (Sept. 30, 2010), 83 FR 6591 (Feb. 14, 2018).

Notice of Rescindment For the reason explained in the SUPPLEMENTARY INFORMATION section at II., the following system of records is rescinded:

SYSTEM NAME AND NUMBER: Countermeasures Injury Compensation Program, HHS/HRSA/ HSB, 09–15–0071.

HISTORY: 76 FR 28991 (May 19, 2011), 83 FR 6591 (Feb. 14, 2018).