System name:
Public Health Service (PHS) Beneficiary-Contract Medical/Health Care Records, HHS/PSC/HRS.
Security classification:
None.
System location:
Medical Affairs Branch (MAB), Beneficiary Medical Programs Section, DCP/HRS/PSC, Room 4C–06, Parklawn Building, 5600 Fishers Lane, Rockville, Maryland 20857–0001.
Duplicates of records may also be maintained in operating offices (duty stations) of the Department and other agencies and organizations to which PHS Commissioned Corps officers are assigned. Contact the System Manager for the location of specific records.
Names and addresses of contractors given information under routine use 8 can be obtained from the System Manager at the location identified below.
Categories of individuals covered by the system:
Individuals who are or were legally entitled to health care through the Public Health Service and who have received health care from health professionals or facilities under contract or agreement with the Department of Health and Human Services.
Categories of records in the system:
May include any or all of the following: Diagnostic (laboratory/X-ray, etc.) and treatment data; sociological information; invoices for services; eligibility data including employment history; and uniformed services information (employing services, service numbers, duty station, home address, etc.).
Authority for maintenance of the system:
Section 215 of the Public Health Service Act (42 U.S.C. 216) "Regulations" and section 326 of the Public Health Service Act (42 U.S.C. 253) "Medical Services to Coast Guard, National Oceanic and Atmospheric Administration and the Public Health Service."
Purpose(s):
The information is used by the Program Support Center (PSC), DCP, HHS Operating Divisions and other organizations where commissioned officers are assigned, to:
1. Serve as the basis for payment for patient care and for continuity in the evaluation of the patient's condition and treatment.
2. Furnish documentary evidence of the course of the patient's medical evaluation and treatment to document communications between the responsible practitioner and any other health professionals contributing to the patient's care and treatment.
3. Verify patient eligibility.
4. Ensure quality assurance.
5. Monitor contract compliance.
Routine uses of records maintained in the system, including categories of users and the purposes of such uses:
Disclosure of these records and information from these records may be made to:
1. Medical laboratories and facilities and non-agency physicians in order to facilitate treatment and payment of bills. Recipients are required to maintain adequate safeguards with respect to such records.
2. The Department of Commerce to report results of examination and/or treatment of that agency's personnel.
3. The Department of Defense and the Department of Veterans Affairs to assist uniformed services, personnel, retirees and veterans to obtain medical care or benefits.
4. A Federal agency, in response to its request, in connection with the hiring or retention of an employee, the issuance of a security clearance, the reporting of an investigation of an employee, the letting of a contract, other issuance of a license, grant or other benefit by the requesting agency, to the extent that the information is relevant and necessary to the requesting agency's decision on the matter.
5. A congressional office from the record of an individual in response to a verified inquiry from the congressional office made at the written request of that individual.
6. In the event of litigation where the defendant is: (a) The Department, any component of the Department, or any employee of the Department in his or her official capacity; (b) the United States where the Department determines that the claim, if successful, is likely to directly affect the operations of the Department or any of its components; or (c) any Department employee in his or her official capacity where the Justice Department has agreed to represent such employee, the Department may disclose such records as it deems desirable or necessary to the Department of Justice to enable that Department to present an effective defense, provided such disclosure is compatible with the purpose for which the records were collected.
7. Information regarding the commission of crimes or the reporting of occurrences of communicable diseases, tumors, child abuse, births, deaths, alcohol or drug abuse, etc., may be disclosed as required by health providers and facilities by State law or regulation of the department of health or other agency of the State or its subdivision in which the facility is located. Disclosures will be made to organizations as specified by the State law or regulation, such as births and deaths to the vital statistics agency and crimes to law enforcement agencies. Disclosure of the contents of records which pertain to patient identity, diagnosis, prognosis or treatment of alcohol or drug abuse is restricted under the provisions of the Confidentiality of Alcohol and Drug Abuse Patient Records Regulation 42 CFR part 2, as authorized by 42 U.S.C. 290dd–2.
8. When the Department contemplates contracting with a private firm for the purpose of collating, analyzing, aggregating, or otherwise refining records in this system, relevant records will be disclosed to such a contractor. The contractor will be required to maintain Privacy Act safeguards with respect to such records. These safeguards are explained in the section entitled "Safeguards."
Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system:
Storage:
File folders and electronic data base.
Retrievability:
Alphabetically by name, by PHS serial number and/or by Social Security Number.
Safeguards:
1. Authorized Users
a. Automated Records. Access to and use of automated records is limited to departmental employees whose official duties require such access; supervisory, contracting officials who review the contractor's records annually; and doctors, dentists, nurses, allied health professionals and administrative staff in the contractor's office who are involved in patient care management.
b. Nonautomated records. Access to and use of nonautomated records is limited to departmental employees whose official duties require such access; contracting officials who review the contractor's records annually; and doctors, dentists, nurses, allied health professionals and administrative staff in the contractor's office. Access is also granted to individuals who have written permission to review the records when that permission has been obtained from the individual to whom the record pertains.
2. Physical safeguards
a. Automated records. Terminals by which automated records are accessed are kept in offices secured with locks. Automated records on magnetic tape, disks and other computer equipment are kept in rooms designed to protect the physical integrity of the records media and equipment. These rooms are within inner offices to which access is permitted only with special clearance. Outer offices are secured with locks. During nonwork hours, all cabinets, storage facilities, rooms and offices are locked and the premises are patrolled regularly by building security forces.
b. Nonautomated records. Nonautomated records are kept in such a way as to prevent observation by unauthorized individuals while the records are actively in use by an authorized employee. When records are not in use, they are closed and secured behind locked inner office doors, in desk drawers with locks, filing cabinets with locks, or other security equipment, all of which are kept inside authorized office space which is locked whenever it is not in use. Keys to furniture and equipment are kept only by the individual who is assigned to that furniture or equipment and by the DCP security officer.
3. Procedural safeguards
a. Automated records. Automated records are secured by assigning individual access codes to authorized personnel, and by the use of passwords for specific records created by authorized personnel. All users of personal information in connection with the performance of their jobs protect information from public view and from unauthorized personnel entering an unsupervised office.
b. Nonautomated records. All files are secured when employees are absent from the premises and are further protected by locks on entry ways and by the building security force. Official records may not be removed from the physical boundaries of DCP. When records are needed at a remote location, copies of the records will be provided. When copying records for authorized purposes, care is taken to ensure that any imperfect or extra copies are not left in the copier room where they can be read, but are destroyed or obliterated.
4. Contractor Guidelines. A contractor who is given records under routine use 8 must maintain the records in a secured area, allow only those individuals immediately involved in the processing of the records to have access to them, prevent any unauthorized persons from gaining access to the records, and return the records to the System Manager immediately upon completion of the work specified in the contract. Contractor compliance is assured though inclusion of Privacy Act requirements in contract clauses, and through monitoring by contract and project officers. Contractors who maintain records are instructed to make no disclosure of the records except as authorized by the System Manager and as stated in the contract.
Retention and disposal:
a. Automated records. Automated billing data are retained for a period of six years and three months after the closing of a file. The record is then destroyed.
b. Nonautomated records. Nonautomated records are retained in the MAB files until the contract is terminated or the payment action completed. The medical records are then forwarded to the MAB, DCP, and retained as indicated in 09–40–0002, "PHS Commissioned Corps Medical Records, HHS/PSC/HRS." Billing information is retained for three fiscal years, then purged and shredded. Patient care notes are retained in the chart until retirement, termination or inactivation. Once a chart is inactivated for over three years it is sent to storage at the Northeast Region Federal Records Center, Bayonne, New Jersey for 16 years. Destruction at that time is in accordance with standard practices of the Federal Records Center.
System manager(s) and address:
Director, DCP/HRS/PSC, Room 4A–15, Parklawn Building, 5600 Fishers Lane, Rockville, Maryland 20857–0001.
Notification procedure:
Same as Access Procedures. Requesters should also reasonably specify the record contents being sought.
Record access procedures:
1. General procedures. An individual (and/or the individual's legal representative) seeking access to his/her records may initially contact any DCP office or employee for information about obtaining access to the records. The DCP employees will inform each individual of the appropriate procedures to follow. Individuals may also seek access to these records by initially contacting the duty station at which they believe the records are located. Individuals at the duty station will ascertain whether the records being sought are maintained at that location. If the records are not located at that duty station, the employee will instruct the individual as to where these records may be located. Each individual seeking access will be required to verify his/her identity to the satisfaction of the employee providing access. Refusal to provide sufficient proof of identity will result in denial of the request for access until such time as proof of identity can be obtained.
If a determination is made that the material sought contains medical information that is likely to have an adverse effect on the requester, the requester shall be asked to designate in writing a responsible representative who will be willing to review the record and inform the subject individual of the material's contents at the representative's discretion. Such a representative must provide proof that s/he is duly authorized to review the record by either the individual or the individual's legal guardian. A parent, guardian or legal representative who requests notification of, or access to, a dependent/incompetent person's record shall designate a family physician or other health professional (other than a family member) to whom the record, if any, will be sent. The parent or guardian must verify his/her relationship to the dependent/incompetent person as well as his/her own identity.
2. Requests in person. An individual who is the subject of a record and who appears in person seeking access shall provide his/her name and at least one piece of tangible identification (e.g., PHS Commissioned Corps Identification Card, driver's license or passport). Identification cards with current photograph are required. The records will be reviewed in the presence of an appropriate employee who will answer questions and ensure that the individual neither removes nor inserts any material into the record without the knowledge of the DCP employee. If the individual requests a copy of any records reviewed, the employee will provide them to the individual. The employee will record the name of the individual granted access, the date of access, and information about the verification of identity on a separate log sheet maintained in the Beneficiary Medical Program office.
3. Requests by mail. Written requests must be addressed to the System Manager at the address shown as the system location above. All written requests must be signed by the individual seeking access. A comparison will be made of that signature and the signature maintained on file prior to release of the material requested. Copies of the records to which access has been requested will be mailed to the individual. The original version of a record will not be released except in very unusual situations when only the original will satisfy the purpose of the request.
4. When an individual to whom a record pertains is mentally incompetent or under other legal disability, information in the individual's records may be disclosed to any person who is legally responsible for the care of the individual, to the extent necessary to assure payment of benefits to which the individual is entitled.
5. Requests by phone. Because positive identification of the caller cannot be established with sufficient certainty, telephone requests for access to records will not be honored.
6. Accounting of disclosures. An individual who is the subject of records maintained in this records system may also request an accounting of all disclosures made outside the Department, if any, that have been made from that individual's records.
Contesting record procedures:
Contact the System Manager at the address specified under System Location above and reasonably identify the record. Specify the information being contested. State the corrective action sought, with supporting justification, along with information to show how the record is inaccurate, incomplete, untimely or irrelevant.
Record source categories:
Information is provided from Individuals, employers, other health care providers, families and social agencies, and 09–40–0002, Public Health Service (PHS) Commissioned Corps Medical Records, HHS/PSC/HRS.
System exempted from certain provision of the Act:
None.
