87 FR 172 pgs. 54751-54755 - Privacy Act of 1974; Department of Transportation, Federal Aviation Administration, DOT/FAA 811, FAA Health Information Records
Type: NOTICEVolume: 87Number: 172Pages: 54751 - 54755
Pages: 54751, 54752, 54753, 54754, 54755Docket number: [Docket No. OST-2022-0074]
FR document: [FR Doc. 2022-19182 Filed 9-6-22; 8:45 am]
Agency: Transportation Department
Official PDF Version: PDF Version
[top]
DEPARTMENT OF TRANSPORTATION
Office of the Secretary
[Docket No. OST-2022-0074]
Privacy Act of 1974; Department of Transportation, Federal Aviation Administration, DOT/FAA 811, FAA Health Information Records
AGENCY:
Office of the Departmental Chief Information Officer, Office of the Secretary of Transportation, DOT.
ACTION:
Notice of a modified Privacy Act system of records.
SUMMARY:
In accordance with the Privacy Act of 1974, the Department of Transportation (DOT) proposes to rename, update, and reissue an existing system of records notice currently titled DOT Federal Aviation Administration (FAA) system of records DOT/FAA 811, "Employee Health Record System." This system of records notice (hereafter referred to as "Notice") previously covered FAA employees only. FAA employee occupational health care records and Health Awareness Program records are currently covered under the Office of Personnel Management (OPM)/Government (GOVT)-10 Employee Medical File System Records SORN (80 FR 74815-November 30, 2015). The updated Notice covers the FAA's collection, use, and maintenance of non-occupational health records on federal employees, as well as FAA contractors and members of the public, such as students, interns and training and research participants, who receive emergency medical services at either the Civil Aerospace Medical Institute (CAMI) Occupational Health Clinic located at the Mike Monroney Aeronautical Center (MMAC) in Oklahoma City, OK, or the FAA Headquarters (HQ) Health Unit located in the HQ building in Washington, DC. Additionally, it covers FAA's collection of participation status ( i.e., eligible, ineligible) on members of the public who engage in research and training programs at the agency. Any medical records collected in the course of these research or training programs is outside the scope of this Notice. The data collected in the system is a combination of health information and Personally Identifiable Information (PII) which is used to provide proper medical care and case management.
DATES:
Written comments should be submitted on or before October 7, 2022. The Department may publish an amended Systems of Records Notice in light of any comments received. This new system will be effective October 7, 2022.
ADDRESSES:
You may submit comments, identified by docket number OST-2022-0074 by any of the following methods:
• Federal e-Rulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
• Mail: Docket Management Facility, U.S. Department of Transportation, 1200 New Jersey Ave. SE, West Building Ground Floor, Room W12-140, Washington, DC 20590-0001.
• Hand Delivery or Courier: West Building Ground Floor, Room W12-140, 1200 New Jersey Ave. SE, between 9 a.m. and 5 p.m. ET, Monday through Friday, except Federal Holidays.
• Fax: (202) 493-2251. Instructions: You must include the agency name and docket number Docket No. OST-2022-0074. All comments received will be posted without change to http://www.regulations.gov, including any personal information provided.
Privacy Act: Anyone is able to search the electronic form of all comments received in any of our dockets by the name of the individual submitting the comment (or signing the comment, if submitted on behalf of an association, business, labor union, etc.). You may review the DOT's complete Privacy Act statement in the Federal Register published on January 17, 2008 (73 FR 3316-3317), or you may visit https://www.transportation.gov/privacy.
Docket: For access to the docket to read background documents or comments received, go to http://www.regulations.gov or to the street address listed above. Follow the online instructions for accessing the docket.
FOR FURTHER INFORMATION CONTACT:
For questions, please contact Karyn Gorman, Acting Departmental Chief Privacy Officer, Privacy Office, Department of Transportation, Washington, DC 20590; privacy@dot.gov; or 202-366-3140.
SUPPLEMENTARY INFORMATION:
Notice Updates
This Notice update includes substantive changes to system name, system location, system manager, purpose, categories of individuals, categories of records, record source categories, routine uses of records maintained in the system, policies and practices for retrieval of records, policies and practices for retention and disposal of records, policies and practices for storage of records, and record access procedures; and non-substantive changes to administrative, technical and physical safeguards, contesting record procedures, and notification procedures. Updates also include editorial changes to simplify and clarify language, formatting, and text of the previously published Notice, to align with the requirements of Office of Management and Budget (OMB) Memoranda A-108, and to ensure consistency with other Notices issued by the Department of Transportation.
I. Background
[top] In accordance with the Privacy Act of 1974, 5 U.S.C. 552a, the Department of Transportation (DOT)/Federal Aviation Administration (FAA) proposes to modify a DOT system of records titled
The following substantive changes have been made to the Notice:
1. System Name: This Notice updates the system name from DOT/FAA 811 "Employee Health Record System," to DOT/FAA 811 "FAA Health Information Records System" to describe more accurately the coverage of health records specifically collected, used, and maintained on federal employees, FAA contractors, and members of the public treated at one of the two FAA health facilities.
2. System Location: This Notice updates the system locations to specifically identify the addresses of the two FAA health facilities. One is located at the FAA, Civil Aerospace Medical Institute, Occupational Health Clinic, Mike Monroney Aeronautical Center, 6500 S Macarthur Blvd., Oklahoma City, OK 73169, and the other at the FAA HQ, 800 Independence Avenue SW, Room 328, Building FOB10A, Washington, DC 20591. The previous Notice only mentioned the Washington location with no specific address, and regional and center medical facilities. The FAA's regional and center medical facilities only collect occupational health records, which are covered by the Office of Personnel Management (OPM)/Government (GOVT)-10 Employee Medical File System Records. Because these regional and center medical facilities do not collect or maintain non-occupational records, the references to these previous locations are removed from this modified Notice.
3. System Manager: This Notice updates the system manager information for the two FAA health facilities and adds telephone numbers for each. The modified Notice removes the reference to Regional Flight Surgeon as it no longer applies given collection of only occupational health records in the regional and center medical facilities, which is covered by the OPM/GOVT-10 Notice.
4. Purpose: This Notice updates the purpose section to reflect the documentation of emergency care provided to federal employees, FAA contractors, and members of the public. Additionally, there is documentation of participation status of members of the public to engage in research and training programs at the FAA. The previous Notice reference of documenting the nature of the complaint or physical examination findings, treatment rendered, and case disposition will remain in this Notice while the preparation of analytical and statistical studies and reports is removed as it no longer applies.
5. Categories of Individuals: The previously published Notice only lists FAA employees as categories of individuals. However, the FAA health facilities provide emergency care to federal employees, as well as FAA contractors and members of the public, such as students, interns, and training and research participants. This Notice updates the categories of individuals to include these groups.
6. Categories of Records: This Notice updates the categories of records information referenced in the previous Notice by identifying data elements, to include PII such as: last name, social security number (SSN)/patient identifier (ID), date of birth (DOB), gender, company (if contractor), work phone and cell phone. The previous Notice listed broad categories of PII and health records; therefore, to ensure greater transparency, these changes provide more specificity to these categories and data elements collected and maintained by the FAA.
7. Records Source: This Notice updates the records source categories to reflect that the FAA collects data from non-FAA federal employees ( i.e., Department of Defense and DOT personnel), FAA contractors and members of the public, as well as FAA health facility staff, federal and private sector medical practitioners and treatment facilities (including external providers and consultants).
8. Routine Use: This Notice updates the routine uses to include the Department of Transportation's general routine uses applicable to this Notice as they were previously only incorporated by reference. The Office of Management and Budget (OMB) Memorandum A-108 recommends that agencies include all routine uses in one notice rather than incorporating general routine uses by reference; therefore, the Department is replacing the statement in DOT/FAA 811 that referenced the "Statement of General Routine Uses" with all of the general routine uses that apply to this system of records. Additionally, there are new system specific routine uses being added to this Notice. Each new external sharing of medical information is compatible with the purpose of providing the best care to those individuals needing it at the respective FAA facilities. The CAMI Health Clinic, specifically, expects to receive accreditation regarding its quality of care and will share information on appropriate patient records with assessors for this purpose. Specific portions of patient records will be shared with appropriate external providers to ensure their continuity of care. Patient consent to share their information cannot always be obtained in a timely manner, especially if incapacitated, so it is necessary to authorize sharing with external providers as needed. And, finally, in the interest of public health, any information related to communicable diseases at FAA facilities will be shared with relevant federal, state and local health authorities. Only personal information specific to the sharing will be exchanged with external sources. The new routine uses are as follows:
a. To external medical professionals and independent entities, any patient records required to support their reviews for purposes of determining medical quality assurance and safety of FAA health facilities.
b. To private or other government health care providers, portions of patient records required for consultation, referral, and continuity of care or medical contingency support.
[top] c. To disclose information to a Federal, state, or local agency to the extent necessary to comply with laws governing reporting of communicable diseases.
d. To disclose to a requesting agency, organization, or individual minimal personal and health information concerning those individuals who are reasonably believed to have contracted an illness or been exposed to or suffered from a health hazard while visiting FAA facilities.
9. Records Storage: This Notice updates the policies and practices for the storage of records to reflect that records previously referenced in the Notice as stored in security files and containers, and in computer databases, are now also stored in micrographic, photographic, as well as medical recordings, such as electrocardiograph tapes, x-rays and strip charts.
10. Records Retrieval: This Notice updates the policies and practices for the retrieval of records to reflect that individual medical history records are retrieved by name, patient ID and date of birth.
11. Retention and Disposal: This Notice updates the policies and practices for retention and disposal of records section to add the following schedules: National Archives and Records Administration (NARA) General Records Schedule (GRS) 2.7, "Employee Health and Safety Records," Item 070, "Non-occupational Individual medical case files," which requires records to be destroyed 10 years after the most recent encounter. In addition, the previous Notice stipulated that federal employee health records would be destroyed six years after last entry; this requirement is removed from this modified Notice because the records are now maintained for ten years as referenced above. NARA, NCI-237-77-7, "Environmental Health Record," Item 6, Medical Records for non-FAA employees which are destroyed five years after treatment date.
12. Records Access: This Notice updates the record access procedures to reflect that signatures on signed requests for records must either be notarized or accompanied by a statement made under penalty of perjury in compliance with 28 U.S.C. 1746. The FAA has determined that the sensitivity of the health information maintained in this system of records warrants this additional identity requirement.
The following non-substantive changes to the administrative, technical, and physical safeguards, contesting records procedures, and notification procedures have been made to improve the transparency and readability of the Notice:
13. Administrative, Technical and Physical Safeguards: This Notice updates the administrative, technical and physical safeguards to align with the requirements of OMB Memoranda A-108 and for consistency with other DOT/FAA SORNs.
14. Contesting Records: This Notice updates the procedures for contesting records to refer the reader to the record access procedures section rather than the "System Manager."
15. Notifications: This Notice updates the notification procedures to refer the reader to the record access procedures section rather than the "System Manager."
II. Privacy Act
The Privacy Act (5 U.S.C. 552a) governs the means by which the Federal Government collects, maintains, and uses personally identifiable information (PII) in a System of Records. A "System of Records" is a group of any records under the control of a Federal agency from which information about individuals is retrieved by name or other personal identifier. The Privacy Act requires each agency to publish in the Federal Register a System of Records Notice (SORN) identifying and describing each System of Records the agency maintains, including the purposes for which the agency uses PII in the system, the routine uses for which the agency discloses such information outside the agency, and how individuals to whom a Privacy Act record pertains can exercise their rights under the Privacy Act ( e.g., to determine if the system contains information about them and to contest inaccurate information). In accordance with 5 U.S.C. 552a(r), DOT has provided a report of this system of records to the Office of Management and Budget and to Congress.
SYSTEM NAME AND NUMBER:
DOT/FAA 811, "FAA Health Information Records System."
SECURITY CLASSIFICATION:
Unclassified, sensitive.
SYSTEM LOCATION:
1. Federal Aviation Administration, Mike Monroney Aeronautical Center, Civil Aerospace Medical Institute, Occupational Health Clinic, 6500 S. MacArthur Blvd., Building 13, Oklahoma City, OK 73169.
2. Federal Aviation Administration, 800 Independence Avenue SW, Room 328, Building FOB10A, Washington, DC 20591.
SYSTEM MANAGER(S):
1. CAMI Occupational Health Clinic: AAM-700 CAMI Clinic Manager, Federal Aviation Administration, Mike Monroney Aeronautical Center, 6500 S. MacArthur Blvd., Building 13, Oklahoma City, OK 73169; (405) 954-3711.
2. DC Health Unit: AAM-200 Medical Specialties Division Manager, Federal Aviation Administration, 800 Independence Avenue SW, Room 328, Building FOB10A, Washington, DC 20591; (202) 267-3535.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
5 U.S.C. 7901.
PURPOSE(S) OF THE SYSTEM:
Records in this system of records are maintained for a variety of purposes, which include the following: Document the health facility visit(s) and/or emergency care provided, the nature of complaint, physical examination findings, treatment rendered, and case disposition. Medical evaluation records and participation status are maintained about members of the public to determine their eligibility to participate in research or training programs at the FAA.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
Individuals covered by this system include federal employees, FAA contractors, and members of the public.
CATEGORIES OF RECORDS IN THE SYSTEM:
Information maintained includes records of emergency care visits by individuals at one of the FAA health facility locations, as well as participation status to determine eligibility for engagement in training and research programs at the FAA. Categories of records could include healthcare records such as medical history, vaccination information, full lists of medications and allergies, chronic medical problems and surgical history, medical examinations, laboratory and radiology information, hearing tests and spirometry tests for non-occupational reasons, as well as treatment plans, and participation status for engagement in research and training programs. PII elements include: full name, SSN/patient ID, date of birth, address, gender, company (if contractor), work phone, and cell phone.
RECORD SOURCE CATEGORIES:
[top] Information contained in this system comes from a variety of sources to include the individuals to whom the records pertain, FAA health facility staff, federal and private sector medical practitioners and treatment facilities (including external providers and consultants).
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:
In addition to other disclosures, generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, all or a portion of the records or information contained in this system may be disclosed outside DOT as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
System Specific Routine Use
1. To external medical professionals and independent entities, any patient records required to support their reviews for purposes of determining medical quality assurance and safety of FAA health facilities.
2. To private or other government health care providers, portions of patient records required for consultation, referral, and continuity of care or mission medical contingency support.
3. To disclose information to a Federal, state, or local agency to the extent necessary to comply with laws governing reporting of communicable diseases.
4. To disclose to a requesting agency, organization, or individual minimal personal and health information concerning those individuals who are reasonably believed to have contracted an illness or been exposed to or suffered from a health hazard while visiting FAA facilities.
Departmental Routine Uses
5. In the event that a system of records maintained by DOT to carry out its functions indicates a violation or potential violation of law, whether civil, criminal or regulatory in nature, and whether arising by general statute or particular program pursuant thereto, the relevant records in the system of records may be referred, as a routine use, to the appropriate agency, whether Federal, State, local or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, or rule, regulation, or order issued pursuant thereto.
6. A record from this system of records may be disclosed, as a routine use, to a Federal, State, or local agency maintaining civil, criminal, or other relevant enforcement information or other pertinent information, such as current licenses, if necessary to obtain information relevant to a DOT decision concerning the hiring or retention of an employee, the issuance of a security clearance, the letting of a contract, or the issuance of a license, grant, or other benefit.
7. A record from this system of records may be disclosed, as a routine use, to a Federal agency, in response to its request, in connection with the hiring or retention of an employee, the issuance of a security clearance, the reporting of an investigation of an employee, the letting of a contract, or the issuance of a license, grant, or other benefit by the requesting agency, to the extent that the information is relevant and necessary to the requesting agency's decision on the matter.
8a. Routine Use for Disclosure for Use in Litigation. It shall be a routine use of the records in this system of records to disclose them to the Department of Justice or other Federal agency conducting litigation when (a) DOT, or any agency thereof, or (b) Any employee of DOT or any agency thereof, in his/her official capacity, or (c) Any employee of DOT or any agency thereof, in his/her individual capacity, where the Department of Justice has agreed to represent the employee, or (d) The United States or any agency thereof, where DOT determines that litigation is likely to affect the United States, is a party to litigation or has an interest in such litigation, and the use of such records by the Department of Justice or other Federal agency conducting the litigation is deemed by DOT to be relevant and necessary in the litigation, provided, however, that in each case, DOT determines that disclosure of the records in the litigation is a use of the information contained in the records that is compatible with the purpose for which the records were collected.
8b. Routine Use for Agency Disclosure in Other Proceedings. It shall be a routine use of records in this system to disclose them in proceedings before any court or adjudicative or administrative body before which DOT or any agency thereof, appears, when (a) DOT, or any agency thereof, or (b) Any employee of DOT or any agency thereof in his/her official capacity, or (c) Any employee of DOT or any agency thereof in his/her individual capacity where DOT has agreed to represent the employee, or (d) The United States or any agency thereof, where DOT determines that the proceeding is likely to affect the United States, is a party to the proceeding or has an interest in such proceeding, and DOT determines that use of such records is relevant and necessary in the proceeding provided, however that in each case, DOT determines that disclosure of the records in the proceeding is a use of the information contained in the records that is compatible with the purpose for which the records were collected.
9. The information contained in this system of records will be disclosed to the Office of Management and Budget, OMB, in connection with the review of private relief legislation as set forth in OMB Circular No. A-19 at any stage of the legislative coordination and clearance process as set forth in that Circular.
10. Disclosure may be made to a Congressional office from the record of an individual in response to an inquiry from the Congressional office made at the request of that individual. In such cases, however, the Congressional office does not have greater rights to records than the individual. Thus, the disclosure may be withheld from delivery to the individual where the file contains investigative or actual information or other materials, which are being used, or are expected to be used, to support prosecution or fines against the individual for violations of a statute, or of regulations of the Department based on statutory authority. No such limitations apply to records requested for Congressional oversight or legislative purposes; release is authorized under 49 CFR 10.35(9).
11. One or more records from a system of records may be disclosed routinely to the National Archives and Records Administration in records management inspections being conducted under the authority of 44 U.S.C. 2904 and 2906.
12. DOT may make available to another agency or instrumentality of any government jurisdiction, including State and local governments, listings of names from any system of records in DOT for use in law enforcement activities, either civil or criminal, or to expose fraudulent claims, regardless of the stated purpose for the collection of the information in the system of records. These enforcement activities are generally referred to as matching programs because two lists of names are checked for match using automated assistance. This routine use is advisory in nature and does not offer unrestricted access to systems of records for such law enforcement and related antifraud activities. Each request will be considered on the basis of its purpose, merits, cost effectiveness and alternatives using Instructions on reporting computer matching programs to the Office of Management and Budget, OMB, Congress, and the public, published by the Director, OMB, dated September 20, 1989.
[top] 13. It shall be a routine use of the information in any DOT system of records to provide to the Attorney General of the United States, or his/her designee, information indicating that a person meets any of the disqualifications for receipt, possession, shipment, or transport of a firearm
14a. To appropriate agencies, entities, and persons when (1) DOT suspects or has confirmed that there has been a breach of the system of records; (2) DOT has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, DOT (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with DOT's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.
14b. To another Federal agency or Federal entity, when DOT determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.
15. DOT may disclose records from this system, as a routine use, to the Office of Government Information Services for the purpose of (a) resolving disputes between FOIA requesters and Federal agencies and (b) reviewing agencies' policies, procedures, and compliance in order to recommend policy changes to Congress and the President.
16. DOT may disclose records from this system, as a routine use, to contractors and their agents, experts, consultants, and others performing or working on a contract, service, cooperative agreement, or other assignment for DOT, when necessary to accomplish an agency function related to this system of records.
17. DOT may disclose records from this system, as a routine use, to an agency, organization, or individual for the purpose of performing audit or oversight operations related to this system of records, but only such records as are necessary and relevant to the audit or oversight activity. This routine use does not apply to intra-agency sharing authorized under Section (b)(1) of the Privacy Act.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
Records are stored in multiple formats, including paper, digital, micrographic, photographic, as well as medical recordings, such as electrocardiograph tapes, x-rays and strip charts.
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
Records may be retrieved by name, SSN, patient ID and/or date of birth.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
Emergency medical care related health records and participation status for engagement in research and training programs are maintained according to the following schedule: GRS 2.7 "Employee Health and Safety Records," Item 070, "Non-occupational Individual medical case files," which requires records to be destroyed 10 years after the most recent encounter. Medical records for non-FAA employees visiting the clinic to receive first aid or emergency treatment are maintained according to NARA, NCI-237-77-7 and destroyed five years after treatment date.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
Records in this system are safeguarded in accordance with applicable rules and policies, including all applicable DOT automated systems security and access policies. Strict controls have been imposed to minimize the risk of compromising the information that is being stored. Access to records in this system is limited to those individuals who have a need to know the information for the performance of their official duties and who have appropriate clearances or permissions.
RECORD ACCESS PROCEDURES:
Individuals seeking notification of whether this system of records contains information about them may contact the System Manager at the address provided in the section "System Manager." When seeking records about yourself from this system of records or any other Departmental system of records your request must conform to the Privacy Act regulations set forth in 49 CFR part 10. You must sign your request and your signature must either be notarized or submitted under 28 U.S.C. 1746, a law that permits statements to be made under penalty of perjury as a substitute for notarization. If your request is seeking records pertaining to another living individual, you must include a statement from that individual certifying his/her agreement for you to access his/her records.
CONTESTING RECORD PROCEDURES:
See "Record Access Procedures."
NOTIFICATION PROCEDURE:
See "Record Access Procedures."
EXEMPTIONS CLAIMED FOR THE SYSTEM:
None.
HISTORY:
A full notice of this system of records, DOT/FAA 811 Employee Health Record System, was published in the Federal Register on April 11, 2000 (65 FR 19519).
Issued in Washington, DC.
Karyn Gorman,
Acting Departmental Chief Privacy Officer.
[FR Doc. 2022-19182 Filed 9-6-22; 8:45 am]
BILLING CODE P