Privacy Act of 1974; Report of Modified or Altered System of Records

AGENCY:

National Center for Environmental Health (NCEH), Coordinating Center for Environmental Health and Injury Prevention (CCEHIP), Department of Health and Human Services (DHHS).

ACTION:

Notification of proposed altered System of Records.

SUMMARY:

The Department of Health and Human Services proposes to alter System of Records, 09-20-0162, “Records of Subjects in Agent Orange, Vietnam Experience, and Selected Cancers Studies, HHS/CDC/CCEHIP/NCEH.” HHS is proposing to add the following Breach Response Routine Use Language to comply with the Office of Management and Budget (OMB) Memoranda (M) 07-16, Safeguarding Against and responding to the Breach of Personally Identifiable Information:

To appropriate Federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information disclosed is relevant and necessary for that assistance.

These records will be maintained by the Coordinating Center for Environmental Health and Injury Prevention (CCEHIP), National Center for Environmental Health (NCEH).

DATES:

Comments must be received on or before February 24, 2011. The proposed altered System of Records will be effective 40 days from the date submitted to the OMB, unless CCEHIP/NCEH receives comments that would result in a contrary determination.

ADDRESSES:

You may submit comments, identified by the Privacy Act System of Record Number 09-20-0162:

SUPPLEMENTARY INFORMATION:

CCEHIP/NCEH proposes to alter System of Records, No. 09-20-0162, “Records of Subjects in Agent Orange, Vietnam Experience, and Selected Cancers Studies, HHS/CDC/CCEHIP/NCEH.” Records in this system are used to support studies to assess the health of Vietnam veterans relative to the health of other men of similar age. Specifically this information should enable the Centers for Disease Control and Prevention (CDC) to:

1. Evaluate the relationship of documented exposure to herbicides used in Vietnam (primarily Agent Orange) to possible adverse health consequences. Such possible effects to be evaluated include dermatologic, neurological, psychological, immunological, carcinogenic, reproductive, gastrointestinal, and others.

2. Assess the health effects of service in Vietnam (including factors other than herbicide exposure) as opposed to the experiences of veterans who served in other countries.

3. Evaluate the risk of selected cancers among Vietnam veterans in contrast to men of similar age who did not serve in Vietnam.

This System of Record Notice is being altered to add the Breach Response Routine Use Language to comply with the Office of Management and Budget (OMB) memorandum dated May 22, 2007.

The following notice is written in the present tense, rather than the future tense, in order to avoid the unnecessary expenditure of public funds to republish the notice after the System has become effective.

Editorial Note:

This document was received at the Office of the Federal Register on December 27, 2010.

Department of Health and Human Services (HHS)

Centers for Disease Control and Prevention (CDC)

Coordinating Center for Environmental Health and Injury Prevention (CCEHIP)

Records of Subjects in Agent Orange, Vietnam Experience, and Selected Cancers Studies

Report of Modified or Altered System of Records

Narrative Statement

I. Background and Purpose of the System

A. Background

The Department of Health and Human Services proposes to alter System of Records, No. 09-20-0162, “Records of Subjects in Agent Orange, Vietnam Experience, and Selected Cancers Studies, HHS/CDC/CCEHIP/NCEH.” HHS is proposing to add the following Breach Response Routine Use Language to comply with the Office of Management and Budget (OMB) Memoranda (M) 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information:

To appropriate Federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information disclosed is relevant and necessary for that assistance.

B. Purpose

Records in this system are used to support studies to assess the health of Vietnam veterans relative to the health of other men of similar age. Specifically this information should enable the Centers for Disease Control and Prevention (CDC) to:

1. Evaluate the relationship of documented exposure to herbicides used in Vietnam (primarily Agent Orange) to possible adverse health consequences. Such possible effects to be evaluated include dermatologic, neurological, psychological, immunological, carcinogenic, reproductive, gastrointestinal, and others.

2. Assess the health effects of service in Vietnam (including factors other than herbicide exposure) as opposed to the experiences of veterans who served in other countries.

3. Evaluate the risk of selected cancers among Vietnam veterans in contrast to men of similar age who did not serve in Vietnam.

Portions of records (i.e., name, Social Security number or military service number, date of birth) may be disclosed to the National Center for Health Statistics, CDC for obtaining a determination of vital status. Death certificates stating the cause of death will then be obtained from the appropriate Federal, State, or local agency to enable CDC to evaluate whether excess mortality is occurring among Vietnam veterans.

II. Authority for Maintenance of the System

The Public Health Service Act, Section 301, Research and Investigations (42 U.S.C. 241); and the Public Health Service Act, Sections 304, 306, and 308(d), which discuss authority to maintain data and to provide assurances of confidentiality for health research and related activities (42 U.S.C. 242b, 242k, and 242m(d)).

III. Proposed Routine Use Disclosures of Data in the System

The Privacy Act allows us to disclose information without an individual's consent if the information is to be used for a purpose that is compatible with the purpose(s) for which the information was collected. Any such compatible use of data is known as a “routine use”. The routine uses proposed for this System are compatible with the stated purpose of the System:

Records have been disclosed to Department of Health and Human Services contractors to locate veterans, cancer cases and controls, conduct interviews, perform medical examinations, analyze pathology specimens, and similar medical services, so that the research purposes for which the records were collected could be accomplished. The contractor was required to comply with the Privacy Act and to follow Section 308(d) of the Public Health Service Act with respect to such records.

Portions of records (i.e., name, Social Security number or military service number) have been disclosed to other Federal agencies such as the Veterans Administration, Internal Revenue Service, and Social Security Administration only to obtain information to aid in locating veterans involved in the study. These disclosures would have been made to update locating information provided by the Army and Joint Services Environmental Support Group.

Records may be disclosed to appropriate Federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information disclosed is relevant and necessary for that assistance.

IV. Effects of the Proposed System of Records on Individual Rights

An individual may learn if a record exists about himself or herself by contacting the system manager at the above address. Persons who knowingly and willfully request or acquire a record pertaining to an individual under false pretenses are subject to a $5,000 fine for this criminal offense. Requesters in person must provide photo identification (such as driver's license) or other positive identification (i.e., place of birth, etc.) that would authenticate the identity of the individual making the request. Individuals who do not appear in person must submit a notarized request to verify their identity. A guardian who requests notification of, or access to, a mentally incompetent or severely physically impaired person's record must provide a birth certificate (or notarized copy), court order, or other appropriate evidence of guardianship. An individual who requests notification of or access to, a medical record shall at the time the request is made, designate in writing a responsible representative (who may be a physician, other health professional, or other responsible individual) who will be willing to review the record and inform the subject individual of its contents.

In addition, the following information must be provided when requesting notification: (1) Full name and Social Security or military service number; and; (2) nature of the study in which the requester participated.

Same as notification procedures. Requesters should also reasonably specify the record contents being sought. An accounting of disclosures that have been made of the record, if any, may be requested.

V. Safeguards

The records in this System are stored in hard copy records, microfilm, computer tapes/disks, CD-ROMs, and printouts. The records are retrieved by the name, Social Security number or military service number (when supplied voluntarily or contained in existing records used in studies under this system), or other identifying number.

Records in this system are collected under an assurance of confidentiality authorized by Section 308(d) of the Public Health Service Act. To comply with this assurance, the following special safeguards are necessary:

Authorized Users: A database security package is implemented on CDC's mainframe computer to control unauthorized access to the system. Attempts to gain access by unauthorized individuals are automatically recorded and reviewed on a regular basis. Access is granted to only a limited number of physicians, scientists, statisticians, and designated support staff of the Centers for Disease Control and Prevention (CDC), as authorized by the system manager to accomplish the stated purpose for which the data in this system have been collected.

Physical Safeguards: Access to the CDC Clifton Road facility where the mainframe computer is located is controlled by a cardkey system. Access to the computer room is controlled by a cardkey and security code (numeric keypad) system. The local fire department is located directly next door to the Clifton Road facility. The computer room is protected by an automatic sprinkler system, numerous automatic sensors (e.g., water, heat, smoke, etc.) are installed, and a proper mix of portable fire extinguishers is located throughout the computer room. Hard copy records are kept in locked cabinets in locked rooms. Security guard service in buildings provides personnel screening of visitors.

Procedural Safeguards: Protection for computerized records on the mainframe includes programmed verification of valid user identification code and password prior to logging on to the system; mandatory password changes, limited log-ins, virus protection, and user rights/file attribute restrictions. Password protection imposes user name and password log-in requirements to prevent unauthorized access. Each user name is assigned limited access rights to files and directories at varying levels to control file sharing. There are routine daily backup procedures and secure off-site storage is available for backup tapes. To avoid inadvertent data disclosure, when erasing computer tapes and/or other magnetic media, an additional procedure is performed to ensure that all Privacy Act data are removed. Additional safeguards may be built into the program by the system analyst as warranted by the sensitivity of the data.

Access to highly sensitive systems is limited to users obtaining prior supervisory approval. Names and other details necessary to identify individuals are not included in data files used for analysis. These files are indexed by code numbers which are linked with complete identifiers only if there is a specific need. Keys which link identification numbers to names are stored separately with access limited to CDC project officers and authorized staff.

CDC employees who process the records are instructed in specific rules of conduct to protect the security and confidentiality of records in accordance with Section 308(d) of the Public Health Service Act.

Implementation Guidelines: The safeguards outlined above are in accordance with the HHS Information Security Program Policy and FIPS Pub 200, “Minimum Security Requirements for Federal Information and Information Systems.” Data maintained on CDC's Mainframe are in compliance with OMB Circular A-130, Appendix III. Security is provided for information collection, processing, transmission, storage, and dissemination in general support systems and major applications.

The records are retained and disposed of in accordance with the CDC Records Control Schedule, which allows the system manager to maintain the records for 20 years unless needed for future reference. Because five-year mortality updates are planned until the study population expires, and health information from the questionnaire will be correlated with the mortality data, the computerized records to which questionnaire data were converted may be kept as long as research needs dictate. Records have been transferred to the Federal Records Center for storage and will be retained there subject to statutory confidentiality requirements.

VI. OMB Control Numbers, Expiration Dates, and Titles of Information Collection

A. Full Title: “Records of Subjects in Agent Orange, Vietnam Experience, and Selected Cancers Studies, HHS/CDC/CCEHIP/NCEH.”

OMB Control Number: 09-20-0162.

Expiration Date: TBD.

VII. Supporting Documentation

A. Preamble and Proposed Notice of System for publication in the Federal Register.

B. Agency Rules: None.

C. Exemption Requested: None.

D. Computer Matching Report: The new system does not require a matching report in accordance with the computer matching provisions of the Privacy Act.