Employee Assistance Program (EAP) Records, Social Security Administration, Deputy Commissioner for Human Resources, Office of Personnel, Center for Employee Services

Effective Date: January 11, 2006

(71 F.R. 1851)

SOCIAL SECURITY ADMINISTRATION NOTICE OF SYSTEM OF RECORDS REQUIRED BY THE PRIVACY ACT OF 1974

SYSTEM NUMBER: 60-0234

System name:

    Employee Assistance Program (EAP) Records, Social Security Administration, Deputy Commissioner for Human Resources, Office of Personnel, Center for Employee Services.

Security classification:

    None.

System Location:

            Social Security Administration

          Office of Human Resources

          Office of Personnel

          Center for Employee Services

          Employee Assistance Program

          6401 Security Boulevard

          Baltimore, Maryland 21235

    Social Security Administration (SSA) Regional Offices, Human Resources Center (contact the system manager or access http://www.socialsecurity.gov/foia/bluebook/app_g.htm for address information).

Categories of individuals covered by the system:

    This system covers SSA employees, employees of other organizations serviced by SSA Employee Assistant Program (EAP), or family members of any of these employees who have been counseled and/or referred for counseling for personal problems by the EAP.

Categories of Records in the system:

    The system contains records of each employee and family member who has utilized the EAP for a personal problem. Examples of information that may be found in each record are employee or family member name, date of birth, grade, job title, home address, telephone numbers, and supervisor's name and telephone number. In addition to the demographic data, certain clinical information is normally maintained in each record including a psychosocial history, assessment of personal problems, information regarding referrals to treatment facilities in the community, and intervention outcomes. Also, information relating to finances that the employee voluntarily provides; disposition, including employees stated intentions; record of letters or tax forms sent as replies; letters from creditors or their representatives and copies of our replies and copies of tax levies against employees. Finally, if an employee is referred to the EAP by a supervisor, the record may contain information regarding the referral such as leave record, reasons for referral, and outcomes of supervisory interventions.

Authority for maintenance of the system:

    5 U.S.C. 7361, 7362, 7901, and 7904.

Purpose(s):

    These records are used to document the nature and extent of the employee's or family member's personal problem and the background information necessary for formulating an intervention plan in an effort to resolve the personal problem and return the employee to full productivity. The record is also used to document, when appropriate, where the employee or family member has been referred for treatment or rehabilitation and the progress in such treatment.    Anonymous information from these records is also needed for the purpose of preparing statistical reports and analytical studies in support of the EAP's management.

Routine uses of records maintained in the system, including categories of users and the purposes of such uses:

    Disclosure may be made for routine uses as indicated below.

    1. To contractors if the Social Security Administration contracts with private firms, individuals, or other groups such as a Federal Employee Assistance Program (EAP) consortium for the purpose of providing the EAP functions. The contractor shall be required to maintain Privacy Act safeguards with respect to such records. The contractors will surrender to the EAP all of these records as well as any new records at the time of contract termination.

    2. To the Department of Justice (DOJ), a court or other tribunal, or another party before such tribunal, when:

    (a) The Social Security Administration (SSA), or any component thereof; or

    (b) Any SSA employee in his/her official capacity; or

    (c) Any SSA employee in his/her individual capacity where DOJ (or SSA, where it is authorized to do so) has agreed to represent the employee; or

    (d) The United States or any agency thereof where SSA determines that the litigation is likely to affect SSA or any of its components, is a party to the litigation or has an interest in such litigation, and SSA determines that the use of such records by DOJ, a court or other

tribunal, or another party before such tribunal, is relevant and necessary to the litigation, provided, however, that in each case, SSA determines that such disclosure is compatible with the purpose for which the records were collected.

    3. To a congressional office in response to any inquiry from that office made at the request of the subject of the record.

    4. To a court or other tribunal, or a party before the same, where the records are covered by the Confidentiality of Alcohol and Drug Abuse Patient Records regulations (42 CFR part 2). Any disclosure of such patient records must be pursuant to a qualified service

organization agreement that meets the requirements of 42 CFR part 2 and must also comply with all other aspects of these regulations. The Employee Assistance Program Administrators in each program location must personally approve any disclosure made under this routine use based on his or her determination that it is compatible with the purpose for which the records were collected.

    5. To student volunteers, individuals working under a personal services contract, and other workers who technically do not have the status of Federal employees, when they are performing work for the Social Security Administration (SSA), as authorized by law, and they need access to personally identifiable information in SSA records in order to perform their assigned Agency functions.

    6. To the General Services Administration and the National Archives Records Administration (NARA) under 44 U.S.C. 2904 and 2906, as amended by the NARA Act of 1984, information which is not restricted from disclosure by Federal law for the use of those agencies in conducting records management studies.

    7.  We may disclose information to appropriate Federal, State, and local agencies, entities, and persons when (1) we suspect or confirm that the security or confidentiality of information in this system of records has been compromised; (2) we determine that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs of SSA that rely upon the compromised information; and (3) we determine that disclosing the information to such agencies, entities, and persons is necessary to assist in our efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. SSA will use this routine use to respond only to those incidents involving an unintentional release of its records.

Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system:

Storage:

    Records are maintained in automated form (e.g., computer readable media, hard drives, floppy disks, and Compact Disc-Read Only Memory (CD-ROM)) and in paper form (e.g., folders, index cards).

Retrievability:

    Records are retrieved by a case code number. These numbers are cross-indexed by name of employee or family member.

Safeguards:

    1. Authorized Users: Access to these records is limited to the EAP Administrators who work directly with employees and family members in each program location and their immediate staffs (including staff counselors, staff secretaries, contract or consortia counselors and secretaries). All EAP Administrators, whether or not they directly provide clinical services, may access the records for the purposes of program evaluation, destroying records at the end of their period of maintenance, and transferring records from one contractor to another.

    2. Physical Safeguards: All records are stored in a metal filing cabinet equipped with at least a combination lock, and preferably a locking bar. This file cabinet is in a secured area, accessible only to the EAP staff, and is locked when not in use. Computer readable

information is maintained in discrete systems and/or is password protected. Computers are also stored in secured areas, accessible to only the EAP staff. These records are always maintained separate from any other system of records.

    3. Procedural Safeguards: All persons having access to the records shall have previous training in the proper handling of records covered by the Privacy Act and 42 CFR part 2 (Confidentiality of Alcohol and Drug Abuse Patient Records). These restrict disclosures to unique situations, such as medical emergencies, except when the employee or family member has consented in writing. Furthermore, employees and family members who utilize the EAP will be informed in writing of the confidentiality provisions; and secondary disclosure of information is prohibited without employee consent.

    Access http://www.socialsecurity.gov/foia/bluebook/app_g.htm for additional information relating to SSA data security measures.

Retention and disposal:

    Records are retained until three years after the employee or family member has ceased contact with the EAP or until any litigation is resolved. However, if an employee has been terminated from SSA employment, records are retained for at least three years after the

official date of termination and until any litigation is resolved. Files are then destroyed.

System manager(s) and address(es):

            Social Security Administration

          Director

          Center for Employee Services

          Office of Personnel

          Office of Human Resources

          6401 Security Boulevard

          Baltimore, Maryland 21235

Notification procedures:

    Upon receiving a request, the EAP Administrator shall weigh the need for disclosure against the potential injury to the patient, to the physician-patient relationship, and to the treatment services. The EAP Administrator will then determine the extent to which any disclosure of all or any part of the record is necessary (42 CFR part 2 does not compel disclosure).

    An individual can determine if this system contains a record about him/her by writing to the system manager(s) at the above address and providing his/her name, SSN or other information that may be in the system of records that will identify him/her. An individual requesting notification of records in person should provide the same information, as well as provide an identity document, preferably with a photograph, such as a driver's license or some other means of identification. If an individual does not have any identification documents sufficient to establish his/her identity, the individual must certify in writing that he/she is the person claimed to be and that he/she understands that the knowing and willful request for, or acquisition of, a record pertaining to another individual under false pretenses is a criminal offense.    If notification is requested by telephone, an individual must verify his/her identity by providing identifying information that parallels information in the record to which notification is being requested. If it is determined that the identifying information provided by telephone is insufficient, the individual will be required to submit a request in writing or in person. If an individual is requesting information by telephone on behalf of another individual, the subject individual must be connected with SSA and the requesting individual in the same phone call. SSA will establish the subject

individual's identity (his/her name, SSN, address, date of birth and place of birth, along with one other piece of information, such as mother's maiden name) and ask for his/her consent in providing information to the requesting individual.

    If a request for notification is submitted by mail, an individual must include a notarized statement to SSA to verify his/her identity or must certify in the request that he/she is the person claimed to be and that he/she understands that the knowing and willful request for, or acquisition of, a record pertaining to another individual under false pretenses is a criminal offense. These procedures are in accordance with SSA Regulations (20 CFR 401.40(c)).

Record access procedures:

    Same as Notification procedures. Requesters should also reasonably specify the record contents being sought. These procedures are in accordance with SSA Regulations (20 CFR 401.40(c)).

Contesting record procedures:

    Same as Notification procedures. Also, requesters should reasonably identify the record, specify the information they are contesting and the corrective action sought, and the reasons for the correction, with supporting justification showing how the record is incomplete, untimely, inaccurate or irrelevant. These procedures are in accordance

with SSA Regulations (20 CFR 401.65(a)).

Record source categories:

    Information in this system of records is: (1) Supplied directly by the individual, or (2) supplied by a member of the employee's family, or (3) derived from information supplied by the individual, or (4) supplied by sources to whom the employee and/or family member has been referred for assistance, or (5) supplied by SSA officials, or (6) supplied by EAP counselors.

Systems exempted from certain provisions of the Privacy Act:

    None.