Privacy Act of 1974; System of Records

Issuing agencies

Abstract

In accordance with the requirements of the Privacy Act of 1974, as amended (Privacy Act) (5 U.S.C 552a), HHS is establishing a new system of records, 09-15-0070, "Graduate Medical Education (GME) Full-Time Equivalent (FTE) Resident Assessment Records," to be maintained by, and on behalf of, HRSA. The system of records will contain records about medical and dental residents training in children's hospitals and teaching health centers, which are used to justify the number of residents counted in calculating GME reimbursement payments to the hospitals and health centers and avoid duplicative reimbursements.

Full Text

<html>
<head>
<title>Federal Register, Volume 91 Issue 96 (Tuesday, May 19, 2026)</title>
</head>
<body><pre>
[Federal Register Volume 91, Number 96 (Tuesday, May 19, 2026)]
[Notices]
[Pages 29143-29146]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2026-10017]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Health Resources and Services Administration


Privacy Act of 1974; System of Records

AGENCY: Health Resources and Services Administration (HRSA), Department 
of Health and Human Services (HHS).

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, as amended (Privacy Act) (5 U.S.C 552a), HHS is establishing a 
new system of records, 09-15-0070, ``Graduate Medical Education (GME) 
Full-Time Equivalent (FTE) Resident Assessment Records,'' to be 
maintained by, and on behalf of, HRSA. The system of records will 
contain records about medical and dental residents training in 
children's hospitals and teaching health centers, which are used to 
justify the number of residents counted in calculating GME 
reimbursement payments to the hospitals and health centers and avoid 
duplicative reimbursements.

DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is 
effective May 19, 2026, with the exception of the routine uses 
described below, which are effective June 18, 2026. Please submit any 
comments on the notice, including the routine uses, by June 18, 2026.

ADDRESSES: The public should submit written comments, identified by 
Privacy Act System of Records number 09-15-0070, by email to 
<a href="/cdn-cgi/l/email-protection#3464465d4255574d755740745c4647551a535b42"><span class="__cf_email__" data-cfemail="5505273c2334362c143621153d2726347b323a23">[email&#160;protected]</span></a> or by mail to HRSA Privacy Act Office, Office of 
Planning, Analysis, and Evaluation, 5600 Fishers Lane, 13N82, 
Rockville, MD 20852. Comments will be made available by request to the 
email or physical address above.

FOR FURTHER INFORMATION CONTACT: General questions about the system of 
records may be submitted to Samantha Miller, HRSA Privacy Act Office, 
Office of Planning, Analysis, and Evaluation, 5600 Fishers Lane, 13N82, 
Rockville, MD 20852, email: <a href="/cdn-cgi/l/email-protection#4212302b3423213b032136022a3031236c252d34"><span class="__cf_email__" data-cfemail="6434160d1205071d250710240c1617054a030b12">[email&#160;protected]</span></a> and 301-443-3983.

SUPPLEMENTARY INFORMATION: HRSA administers the Children's Hospitals 
Graduate Medical Education (CHGME) Payment Program and Teaching Health 
Center Graduate Medical Education (THCGME) Payment Program, which make 
payments to children's hospitals and teaching health centers that 
operate GME programs. The Programs' authorities require that payments 
be calculated based in part on the number of FTE residents in the 
children's hospitals' and teaching health centers' approved residency 
training programs. See 42 U.S.C. 256e(c) and 256h(c). Further, the 
Programs' authorities require a yearly reconciliation, i.e., a yearly 
determination of any changes to the number of residents reported by a 
children's hospital or teaching health center in its application, to 
determine the final amount payable each year. See 42 U.S.C. 256e(e)(3) 
and 256h(f). HRSA engages a contractor to assist with this 
determination, which is referred to as the GME FTE Resident Assessment.
    To obtain information needed to perform the GME FTE Resident 
Assessment, the HRSA contractor compiles and maintains records about 
individuals who are medical and dental residents in participating 
children's hospitals and teaching health centers. These records are 
retrieved by the residents' personal identifiers and therefore 
constitute a ``system of records'' as defined by the Privacy Act at 5 
U.S.C. 552a(a)(5). This system of records, titled ``Graduate Medical 
Education (GME) Full-Time Equivalent (FTE) Resident Assessment 
Records,'' is more fully described in this Privacy Act System of 
Records Notice.
    As required by 5 U.S.C. 552a(r), the Department has submitted a 
report on the proposed system of records to the Office of Management 
and Budget, the House Committee on Oversight and Government Reform, and 
the Senate Committee on Homeland Security and Governmental Affairs.
SYSTEM NAME AND NUMBER:
    Graduate Medical Education (GME) Full-Time Equivalent (FTE) 
Resident Assessment Records, 09-15-0070.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The address of the agency component responsible for the system of 
records is: Division of Medicine and Dentistry, Bureau of Health 
Workforce, HRSA, 5600 Fishers Lane, Rockville, MD 20857. The contractor 
maintaining the system of records on behalf of HRSA is currently 
Integrity Management Services, Inc., located at 5911 Kingstowne Village 
Parkway, Suite 210, Alexandria, VA 22315.

SYSTEM MANAGER(S):
    Contracting Officer's Representative, Division of Medicine and 
Dentistry, Bureau of Health Workforce, HRSA, 5600 Fishers Lane, 
Rockville, MD 20857.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The authorities for maintaining the system are 42 U.S.C. 256e 
(section 340E of the Public Health Service Act) and 42 U.S.C. 256h 
(section 340H of the Public Health Service Act).

PURPOSE(S) OF THE SYSTEM:
    The primary purpose of the system of records is to enable HRSA to 
carry out the CHGME Payment Program authorized by 42 U.S.C. 256e and 
the THCGME Program authorized by 42 U.S.C. 256h. Records about medical 
and dental residents will be used to determine any changes to the 
number of residents reported by participating children's hospitals and 
teaching health centers in their applications to determine the final 
amount of GME reimbursement payable to each hospital and health center. 
To assist with this determination, which is referred to as the GME FTE 
Resident Assessment, HRSA engages a contractor (``fiscal 
intermediary''). Records will be used to assess the accuracy of the 
number of FTE residents reported (including ensuring that no residents 
are counted as more than one FTE resident) and to resolve discrepancies 
identified in the number of FTE residents reported. Records may also be 
used for program evaluation activities, such as conducting audits; 
establishing or verifying information provided by or about residents; 
and combating fraud, waste, or abuse of CHGME or THCGME funds. Other 
secondary purposes for which the records may be used are to enable HRSA 
to assist federal or state agency officials who carry out federal GME 
programs.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Records will pertain to medical and dental residents training at 
children's hospitals participating in the CHGME Payment Program and 
teaching health

[[Page 29144]]

centers participating in the THCGME Program.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The system stores information about residents' rotational training 
assignments and years completed in residency. Categories of records 
include, for each resident: identifying information (e.g., name and 
Social Security number of the resident); type of residency program in 
which the individual participates and the number of years the resident 
has completed in all types of residency programs; dates the resident is 
assigned to the hospital and any hospital-based providers; dates the 
resident is assigned to other hospitals, or other freestanding 
providers, and any non-provider setting during the cost reporting 
period, if any; name of the medical, osteopathic, dental, or podiatric 
school from which the resident graduated and the date of graduation; 
documentation concerning foreign medical school graduation date and 
certification date, if the resident is a foreign medical graduate; name 
of the employer (e.g., hospital, university, corporation) paying the 
resident's salary; percentage of time spent working in any area of the 
hospital complex or in a non-provider setting under agreement with the 
hospital for GME; and start and end dates assigned to the hospital and 
any hospital-based providers (assignment periods) during the children's 
hospital's or teaching health center's cost reporting period, the start 
and end dates assigned to any non-hospital or non-provider setting in 
connection with approved residency programs (assignment periods) during 
the children's hospital's or teaching health center's cost reporting 
period, and the full-time or part-time percentage during each 
assignment period.

RECORD SOURCE CATEGORIES:
    Information in the records is obtained from participating 
children's hospitals or teaching health centers, which provide it on 
forms approved under Office of Management and Budget (OMB), including 
OMB control no. 0915-0247, if the children's hospital or teaching 
health center does not file a Medicare cost report with the Centers for 
Medicare & Medicaid Services (CMS). The system also includes records 
originally received by CMS on OMB-approved forms under OMB control no. 
0938-0050, which are obtained from CMS if the children's hospital or 
teaching health center files a Medicare cost report with CMS.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to other disclosures which are authorized directly in 
the Privacy Act at 5 U.S.C. 552a(b), these routine uses, published 
pursuant to 5 U.S.C. 552a(b)(3), specify circumstances under which 
records from this system of records may be disclosed to parties outside 
HHS without the consent of the individual to whom the records pertain:
    <bullet> Routine Use 1: Records may be disclosed to HHS contractors 
(including fiscal intermediaries) or other entities (including 
consultants, researchers and support personnel) that have been engaged 
by HHS to assist in carrying out functions relating to the purposes of 
this system of records and require access to the records in order to 
assist HHS. Such functions include but are not limited to: performing 
the FTE Resident Assessment; conducting audits; establishing or 
verifying information provided by or about residents; and combating 
fraud, waste, or abuse of CHGME or THCGME funds. The contractors, 
subcontractors, or other entities as defined in 5 U.S.C. 552a(m)(1) 
will be prohibited from using or disclosing the records for any purpose 
other than the purpose(s) specified by HRSA, to comply with the Privacy 
Act of 1974, as amended, enforced through Federal Acquisition 
Regulation Subpart 24.1 and required to return or destroy all records 
as specified by HRSA.
    <bullet> Routine Use 2: HHS contractors or HRSA may disclose 
records to children's hospitals participating in the CHGME Payment 
Program and teaching health centers participating in the THCGME 
Program, if such records relate to individuals training in the 
hospital's or teaching health center's residency program, to facilitate 
compliance with CHGME Payment Program or THCGME Program requirements.
    <bullet> Routine Use 3: When a record on its face, or in 
conjunction with other records, indicates a violation or potential 
violation of law, whether civil, criminal or regulatory in nature, HRSA 
may disclose the record to the appropriate agency or public authority 
responsible for enforcing, investigating or prosecuting such violation 
(including but not limited to Federal, Tribal, State, local, or foreign 
agencies or public authorities), if the information disclosed is 
relevant to the responsibilities of the agency or public authority.
    <bullet> Routine Use 4: Records may be disclosed to the Department 
of Justice or to a court or other adjudicative body in litigation or 
other proceedings when any of the following is a party to the 
proceedings or has an interest in the proceedings and, by careful 
review, the agency determines that the records are both relevant and 
necessay to the proceedings: (a) HHS or any component thereof; or (b) 
any employee of HHS in the employee's official capacity; or (c) any 
employee of HHS in the employee's individual capacity where the 
Department of Justice or HHS has agreed to represent the employee; or 
(d) the United States Government.
    <bullet> Routine Use 6: Records may be disclosed to appropriate 
agencies, entities, and persons when: (1) HHS suspects or has confirmed 
that there has been a breach of the system of records; (2) HHS has 
determined that as a result of the suspected or confirmed breach, there 
is a risk of harm to individuals, HHS (including its information 
systems, programs, and operations), the federal government, or national 
security; and (3) the disclosure made to such agencies, entities, and 
persons is reasonably necessary to assist in connection with HHS's 
efforts to respond to the suspected or confirmed breach or to prevent, 
minimize, or remedy such harm.
    <bullet> Routine Use 7: Records may be disclosed to another federal 
agency or federal entity, when HHS determines that information from 
this system of records is reasonably necessary to assist the recipient 
agency or entity in: (1) responding to a suspected or confirmed breach; 
or (2) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the federal government, or national 
security, resulting from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are stored electronically in the system maintained by the 
HRSA contractor or subcontractor assisting with the GME FTE Resident 
Assessment. Contractors or subcontractors operating this system to 
collect, access and store records must obtain an Authority to Operate 
meeting security and privacy requirements in accordance with the 
Federal Information Security Modernization Act (44 United States Code 
101), National Institute of Standards and Technology Special 
Publication 800-53, OMB Circular A-130, OMB Memoranda (17-12, 03-22), 
the Federal Risk and Authorization Management Program, Federal 
Information Processing Standards Publication 199, and HHS and HRSA 
applicable regulations and policies.

[[Page 29145]]

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are retrieved by the subject individual's name or Social 
Security number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    The GME FTE Resident Assessment Records are currently unscheduled 
and will be retained indefinitely until authorized for disposition 
under a schedule approved by the National Archives and Records 
Administration.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    HHS, HHS contractors, and subcontractors having access to the 
records have been trained in the Privacy Act and information security 
requirements. HHS, contractors, and subcontractor employees who 
maintain records in this system or have access to the records in the 
system are required to not release data until the intended recipient 
agrees to implement appropriate management, operational and technical 
safeguards sufficient to protect the confidentiality, integrity and 
availability of the information and information systems and to prevent 
unauthorized access in accordance with applicable law. This system will 
conform to all applicable Federal laws and regulations and Federal, 
HHS, and HRSA policies and standards as they relate to information 
security and data privacy. Measures to prevent unauthorized disclosures 
of GME FTE Resident Assessment records are implemented as appropriate 
for each location or form of storage and for the types of records 
maintained. Safeguards conform to the HHS Information Security and 
Privacy Program, <a href="https://www.hhs.gov/ocio/securityprivacy/index.html">https://www.hhs.gov/ocio/securityprivacy/index.html</a>. 
Site(s) implement personnel and procedural safeguards such as the 
following:
    <bullet> Authorized Users: Access is strictly limited to authorized 
HHS and contractor personnel whose duties require such access (i.e., 
who have a valid, business need-to-know).
    <bullet> Administrative Safeguards: Administrative controls include 
the completion of a Security Assessment and Authorization package and a 
Privacy Impact Assessment for information technology systems used to 
maintain the records, and mandatory completion of annual HRSA 
Information Security and Privacy Awareness training for personnel 
authorized to access the records. The Security Assessment and 
Authorization package consists of a Security Categorization, e-
Authentication Risk Assessment, System Security Plan, evidence of 
Security Control Testing, Plan of Action and Milestones, Contingency 
Plan, and evidence of Contingency Plan Testing. When the agency engages 
an outside contractor to support design, development, or operation of 
the system of records, the applicable Privacy Act Federal Acquisition 
Regulation clauses are inserted in solicitations and contracts.
    <bullet> Physical Safeguards: Controls to secure the data and 
protect electronic records, buildings, and related infrastructure 
against threats associated with their physical environment include and/
or HHS Personnel Security Clearance of HRSA employees, contractors, and 
subcontractors and the use of the HHS Personal Identity Verification 
card. Access to the restricted office area containing the rooms where 
records are stored is controlled through the use of limited access 
proximity cards. Only authorized users have access to these cards. 
Individuals who enter the restricted area without a limited access 
proximity card are under escort at all times. During regular business 
hours, rooms in this restricted area are unlocked but entry is 
controlled by on-site personnel. Rooms where records are stored are 
locked when not in use. Records are kept under the direct control of 
the System Manager, authorized federal employees, and/or delegated 
contractors and subcontractors. Contractor interaction with this system 
of records will occur on-site and no electronic records will be allowed 
to be removed from the GME FTE Resident Assessment System unless 
authorized. All authorized users of personal information in connection 
with the performance of their jobs will be required to protect 
information from public view and from unauthorized personnel entering 
an unsupervised area/office.
    <bullet> Technical Safeguards: Electronic media are kept on secure 
servers or computer systems. Controls are employed to minimize the 
possibility of unauthorized access, use, or dissemination of the data 
in the system. They include user identification, password protection, 
firewalls, virtual private network, encryption, intrusion detection 
system, common access cards, smart cards, biometrics, and public key 
infrastructure. Computer records are accessible only through a series 
of code or keyword commands available from and under the direct control 
of the System Manager, authorized federal employees or delegated 
contractors and/or subcontractors. These records are secured by a 
multi-level security system which is capable of controlling access to 
the individual data field level. Persons having access to the computer 
database can be restricted to a confined application which permits only 
a narrow ``view'' of the data.

RECORD ACCESS PROCEDURES:
    An individual seeking access to records about an individual in this 
system of records must submit a written access request to either the 
System Manager (see above ``System Manager(s)'' section), the HRSA 
Privacy Act Office (see above ``Addresses'' section), or the HHS FOIA/
Privacy Act Public Access web portal at <a href="https://www.foia.gov/agency-search.html?id=8ea3cba7-f377-40b9-b3cc-0b608c21342e&type=component">https://www.foia.gov/agency-search.html?id=8ea3cba7-f377-40b9-b3cc-0b608c21342e&type=component</a>. The 
request must contain the requester's (subject individual's) name, 
address, date of birth, and signature, and should also provide a 
reasonable description of the contents of the record being sought. To 
verify the requester's identity, the requester's signature must be 
notarized, or the request must include the requester's written 
certification that the requester is the person the requester claims to 
be and that the requester understands that the knowing and willful 
request for or acquisition of records pertaining to an individual from 
an agency under false pretenses is a criminal offense subject to a fine 
of up to $5,000. An individual may request that copies of the records 
be sent to them, or direct that the records be sent to a third party in 
accordance with the individual's signed, written consent (a pre-
existing power of attorney may qualify as such a consent), or request 
an appointment to review the records in person (including with a person 
of their choosing, if they provide written authorization for agency 
personnel to discuss the records in that person's presence). An 
individual may also request an accounting of disclosures that have been 
made of records about them, if any. A court-appointed guardian for a 
subject individual who requests access to the individual's record must, 
in addition to verifying the individual's identity, verify the 
guardian's relationship to the individual and the guardian's own 
identity.

CONTESTING RECORD PROCEDURES:
    Individuals (or their court-appointed guardians, if applicable) may 
seek to amend a record about them in this system of records by 
submitting a written amendment request to the System Manager (see above 
``System Manager(s)'' section). The request must contain the same 
information required for an access request and must include 
verification of the requester's (and, if

[[Page 29146]]

applicable, the guardian's) identity in the same manner required for an 
access request. In addition, the request must reasonably identify the 
record, specify the information being contested, state the corrective 
action sought and the reason(s) for requesting the correction, and 
include supporting documentation to show how the record is inaccurate, 
incomplete, untimely, or irrelevant. Only information that is factually 
inaccurate, incomplete, untimely, or irrelevant may be contested.

NOTIFICATION PROCEDURES:
    Individuals (or their court-appointed guardians, if applicable) who 
wish to know if this system of records contains records about them must 
submit a written notification request to the System Manager (see above 
``System Manager(s)'' section). The request must contain the same 
information required for an access request and must include 
verification of the requester's (and, if applicable, the guardian's) 
identity in the same manner required for an access request.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    None.

Maria G. Button,
Director, Executive Secretariat.
[FR Doc. 2026-10017 Filed 5-18-26; 8:45 am]
BILLING CODE 4160-15-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>