85 FR 247 pgs. 84119-84122 - Privacy Act of 1974; System of Records
Type: NOTICEVolume: 85Number: 247Pages: 84119 - 84122
Pages: 84119, 84120, 84121, 84122FR document: [FR Doc. 2020–28342 Filed 12–22–20; 8:45 am]
Agency: Veterans Affairs Department
Official PDF Version: PDF Version
[top]
DEPARTMENT OF VETERANS AFFAIRS
Privacy Act of 1974; System of Records
AGENCY:
Veterans Health Administration (VHA).
ACTION:
Notice of a modified system of records.
SUMMARY:
As required by the Privacy Act of 1974 notice is hereby given that the Department of Veterans Affairs (VA) is amending the system of records entitled, "Consolidated Data Information System-VA" (97VA10P1) as set forth in the Federal Register 80 FR 11524. VA is amending the system of records by revising the System Number; Categories of Individuals Covered By the System; Categories of Records in the System; Record Source Categories; Routine Uses of Records Maintained in the System and Policies; Policies and Practices for Storage of Records; Policies and Practices for Retrieval of Records; Policies and Practices for Retention and Disposal of Records; Administrative, Technical, and Physical Safeguards; Record Access Procedure; and Appendix. VA is republishing the system notice in its entirety.
DATES:
Comments on the amendment of this system of records must be received no later than January 22, 2021. If no public comment is received during the period allowed for comment or unless otherwise published in the Federal Register by VA, the amended system will become effective January 22, 2021.
ADDRESSES:
Comments may be submitted through www.Regulations.gov or mailed to VA Privacy Service, 810 Vermont Avenue NW, (005R1A), Washington, DC 20420. Comments should indicate that they are submitted in response to "Consolidated Data Information System-VA (97VA10P1)". Comments received will be available at regulations.gov for public viewing, inspection or copies.
FOR FURTHER INFORMATION CONTACT:
Stephania Griffin, Veterans Health Administration (VHA) Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420, (704) 245-2492.
SUPPLEMENTARY INFORMATION:
The System Number will be changed from 97VA10P1 to 97VA10 to reflect the current VHA organizational routing symbol.
[top] The Categories of Individuals Covered by the System is being amended to include VA-enrolled Veterans. This section will remove individuals who are not beneficiaries.
The Categories of Records in the System is being amended to change "VHA Survey of Veteran Enrollees' Health and Reliance Upon VA" to "VA Survey of Veteran Enrollees' Health and Use of Health Care". This section will include prescription drugs along with patient assessments for patients receiving care from CMS certified facilities. The records also include data from United States Renal Data Systems (USRDS) for patients with chronic and end-stage renal disease. This section will remove records including information on Medicaid beneficiaries' utilization and enrollment from state databases. Also being removed is assessment files including Veteran and non-Veteran data.
The Records Source Categories is being amended to change Patient Medical Records System (24VA136) to Patient Medical Records-VA (24VA10A7), Patient Fee Basis Medical and Pharmacy Records (23VA136) change to Non-VA Care (Fee) Records-VA (23VA10NB3), and 38VA23 change to 38VA21.
The Routine Uses of Records Maintained in the System is amending the language in Routine Use #5 which states that disclosure of the records to the Department of Justice (DoJ) is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. This routine use will now state that release of the records to the DoJ is limited to circumstances where relevant and necessary to the litigation. VA may disclose records in this system of records in legal proceedings before a court or administrative body after determining that release of the records to the DoJ is limited to circumstances where relevant and necessary to the litigation.
Routine Use #7 has been amended by clarifying the language to state, "VA may disclose any information or records to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that there has been a breach of the system of records; (2) VA has determined that as a result of the suspected or confirmed breach there is a risk to individuals, VA (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, or persons is reasonably necessary to assist in connection with VA efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm."
Routine use #13 is being added to state, "VA may disclose information from this system of records to another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach."
Policies and Practices for Storage of Records section is being amended to remove that Data are maintained on magnetic tape, disk, or laser optical media. This section will now state that the data is maintained on VA approved removable media, VA approved and audited external servers and VA controlled systems.
Policies and Practices for Retrieval of Records is being amended to remove VA claim number, name, name and one or more criteria ( e.g., dates of birth, death and service). This section will include system beneficiary identifier.
Policies and Practices for Retention and Disposal of Records is being amended to remove that records will be maintained and disposed of in accordance with the records disposal authority approved by the Archivist of the United States, the National Archives and Records Administration, and published in Agency Records Control Schedules. This section will now state that in accordance with Records Control Schedule 10-1, 2201.2: Records that are intermediary and temporary can be destroyed upon verification of successful creation of the final document or file, or when no longer needed for business use, whichever is later. (GRS 5.2 item 020, DAA-GRS-2017-0003-0001).
Administrative, Technical, and Physical Safeguards section is being amended to remove 2. Access to Automated Data Processing files is controlled at two levels: (1) Terminals, central processing units, and peripheral devices are generally placed in secure areas (areas that are locked or have limited access) or are otherwise protected; and (2) the system recognizes authorized users by means of an individually unique password entered in combination with an individually unique user identification code. 3. Access to automated records concerning identification codes and codes used to access various VA automated communications systems and records systems, as well as security profiles and possible security violations is limited to designated automated systems security personnel who need to know the information in order to maintain and monitor the security of VA's automated communications and Veterans' claim records systems. Access to these records in automated form is controlled by individually unique passwords and codes. Agency personnel may have access to the information on a need to know basis when necessary to advise agency security personnel or for use to suspend or revoke access privileges or to make disclosures authorized by a routine use. This section will now replace number 2 with: Access to VA computer systems and data stored within these systems is restricted through secure username/or electronic access card and password requirements.
Record Access Procedure is being amended to remove name or other personal identifier. This section will include the SSN.
VA Appendix 5 is amending number 1 to replace of Office of the Assistant Deputy Under Secretary for Health (ADUSH) for Policy and Planning with Office of Policy and Planning/Chief Strategy Office. Being deleted are items 2. VA Information Resource Center (VIReC), Hines VA Medical Center, 5th Ave & Roosevelt Ave, Hines, IL 60141. Veterans Health Administration (VHA), 810 Vermont Avenue NW, Washington, DC 20420 and items 3. Office of the Assistant Deputy Under Secretary for Health (ADUSH) for Policy and Planning, 811 Vermont Avenue NW, Washington, DC 20420, Silver Spring, MD, and/or Martinsburg, WV. Item 5 which is now number 3 is replacing VA facilities with "Other VA controlled systems".
Signing Authority
The Senior Agency Official for Privacy, or designee, approved this document and authorized the undersigned to sign and submit the document to the Office of the Federal Register for publication electronically as an official document of the Department of Veterans Affairs. James P. Gfrerer, Assistant Secretary of Information and Technology and Chief Information Officer, approved this document on November 10, 2020 for publication.
[top]
Amy L. Rose,
Program Analyst, VA Privacy Service, Office of Information Security, Office of Information and Technology, Department of Veterans Affairs.
SYSTEM NAME AND NUMBER:
"Consolidated Data Information System-VA" (97VA10)
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
Records will be maintained at Department of Veteran Affairs (VA) Veterans Health Administration (VHA) sites for the Centers for Medicare and Medicaid Services (CMS) data (see VA Appendix 5).
SYSTEM MANAGER(S):
Manager, Medicare and Medicaid Analysis Center, 100 Grandview Road, Suite 114, Braintree, MA 02184.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Section 527 of 38 U.S.C. and the Government Performance and Results Act of 1993, Public Law 103-62.
PURPOSE(S) OF THE SYSTEM:
The purpose of this system of records is to conduct statistical studies and analyses which will support the formulation of Departmental policies and plans by identifying the total current health care usage of the VA patient population. The records and information may be used by VA in evaluation of Department programs. The information may be used to conduct research.
CATEGORIES OF INDIVIDUALS COVERED BY THIS SYSTEM:
Records include information concerning VA-enrolled Veterans, their spouses and their dependents, family members, active duty military personnel, individuals who are not VA enrollees but who receive health care services from VHA and other non-Veterans.
CATEGORIES OF RECORDS IN THE SYSTEM:
Categories of records in the system will include Veterans' names, addresses, dates of birth, VA claim numbers, Social Security numbers (SSN), and military service information, medical benefit application and eligibility information, code sheets and follow-up notes, sociological, diagnostic, counseling, rehabilitation, drug and alcohol, dietetic, medical, surgical, dental, psychological, and/or psychiatric medical information, prosthetic, pharmacy, nuclear medicine, social work, clinical laboratory and radiology information, patient scheduling information, family information such as next of kin, spouse and dependents' names, addresses, Social Security numbers and dates of birth, family medical history, employment information, financial information, third-party health plan information, information related to registry systems, date of death, VA claim and insurance file numbers, travel benefits information, military decorations, disability or pension payment information, amount of indebtedness arising from 38 U.S.C. benefits, applications for compensation, pension, education and rehabilitation benefits, information related to incarceration in a penal institution, medication profile such as name, quantity, prescriber, dosage, manufacturer, lot number, cost and administration instruction, pharmacy dispensing information such as pharmacy name and address.
The records will include information on Medicare and Medicaid beneficiaries from CMS databases including information related to health care usage, demographics, enrollment, prescription drugs and survey files. The records also include patient assessments for patients receiving care from CMS certified facilities. The records also include data from United States Renal Data Systems (USRDS) for patients with chronic and end-stage renal disease.
The records include information on Veterans enrolled for VA health care who have participated in the periodic "VA Survey of Veteran Enrollees' Health and Use of Health Care".
The records also include information on: Civilian Health and Medical Program of the Department of Veterans Affairs (CHAMPVA), VA/DOD Identity Repository (VADIR), as well as the Operations Enduring Freedom and Operations Iraqi Freedom (OEF/OIF) roster (Defense Manpower Data Center).
RECORD SOURCE CATEGORIES:
Information may be obtained from the Patient Medical Records-VA (24VA10A7), Non-VA Care (Fee) Records-VA (23VA10NB3), Veterans and Beneficiaries Identification and Records Location Subsystem (38VA21), Compensation, Pension, Education and Rehabilitation Records (58VA21/22), all other potential VA and non-VA sources of Veteran demographic information, and CMS databases. The records also include information from: CHAMPVA, VADIR, as well as the OEF/OIF roster (Defense Manpower Data Center), and USRDS.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:
VA may disclose protected health information pursuant to the following routine uses where required by law, or required or permitted by 45 CFR parts 160 and 164.
1. VA may disclose any information in this system, except the names and home addresses of Veterans and their dependents, which is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal or regulatory in nature and whether arising by general or program statute or by regulation, rule or order issued pursuant thereto, to a State, local or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule or order. VA may also disclose the names and addresses of Veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto.
2. Disclosure may be made, excluding name and address (unless name and address are furnished by the requestor) for research purposes determined to be necessary and proper to epidemiological and other research facilities approved by the System Manager or the Under Secretary for Health, or designee.
3. Any record in the system of records may be disclosed to a Federal agency for the conduct of research and data analysis to perform a statutory purpose of that Federal agency upon the prior written request of that agency, provided that there is legal authority under all applicable confidentiality statutes and regulations to provide the data and VHA Medicare and Medicaid Analysis Center (MAC) has determined prior to the disclosure that VA data handling requirements are satisfied. MAC may disclose limited individual identification information to another Federal agency for the purpose of matching and acquiring information held by that agency for MAC to use for the purposes stated for this system of records.
4. Disclosure may be made to National Archives and Records Administration (NARA) in records management inspections conducted under authority of title 44 United States Code.
[top] 5. VA may disclose information in this system of records to the Department of Justice (DoJ), either on VA's initiative or in response to DoJ's request for the
6. Disclosure may be made to individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to perform such services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor, subcontractor, public or private agency, or other entity or individual with whom VA has an agreement or contract to perform the services of the contract or agreement. This routine use includes disclosures by the individual or entity performing the service for VA to any secondary entity or individual to perform an activity that is necessary for individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to provide the service to VA.
7. VA may disclose any information or records to appropriate agencies, entities, and persons when: (1) VA suspects or has confirmed that there has been a breach of the system of records; (2) VA has determined that as a result of the suspected or confirmed breach there is a risk to individuals, VA (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, or persons is reasonably necessary to assist in connection with VA efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.
8. The record of an individual who is covered by a system of records may be disclosed to a Member of Congress, or a staff person acting for the member, when the member or staff person requests the record on behalf of and at the written request of the individual.
9. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.
10. To disclose information to the Equal Employment Opportunity Commission when requested in connection with investigations of alleged or possible discriminatory practices, examination of Federal affirmative employment programs, or the other functions of the Commission as authorized by law or regulation.
11. To disclose information to officials of the Merit Systems Protection Board, when requested in connection with appeals, special studies of the civil service and other merit systems, review of rules and regulations, investigation of alleged or possible prohibited personnel practices, and such other functions, promulgated in 5 U.S.C. 1205 and 1206, or as may be authorized by law.
12. To disclose to the Federal Labor Relations Authority (including its General Counsel) information related: (1) To the establishment of jurisdiction, the investigation and resolution of allegations of unfair labor practices, or information in connection with the resolution of exceptions to arbitration awards when a question of material fact is raised; (2) to disclose information in matters properly before the Federal Service Impasses Panel; and (3) to investigate representation petitions and conduct or supervise representation elections.
13. VA may disclose information from this system to another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
Data is maintained on VA approved removable media, VA approved and audited external servers and VA controlled systems.
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
Records may be retrieved by SSN or system beneficiary identifier.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
Copies of back-up computer files will be maintained at primary and secondary VA recipient sites for CMS data (see Appendix 5). In accordance with Records Control Schedule 10-1, 2201.2: Records that are intermediary and temporary can be destroyed upon verification of successful creation of the final document or file; or when no longer needed for business use, whichever is later. (GRS 5.2 item 020, DAA-GRS-2017-0003-0001).
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
1. Access to and use of these records is limited to those persons whose official duties require such access. Personnel screening is employed to prevent unauthorized disclosure.
2. Access to VA computer systems and data stored within these systems is restricted through secure username/or electronic access card and password requirements.
3. Access to VA facilities where identification codes, passwords, security profiles and possible security violations are maintained is controlled at all hours by the Federal Protective Service, VA or other security personnel and security access control devices.
RECORD ACCESS PROCEDURE:
An individual who seeks access to records maintained under his/her SSN may write the System Manager named above and specify the information being contested.
CONTESTING RECORD PROCEDURES:
(See Record Access Procedures).
NOTIFICATION PROCEDURE:
Individuals wishing to inquire whether this system of records contains information about them should submit a signed written request to the Manager, Medicare and Medicaid Analysis Center, 100 Grandview Road, Suite 114, Braintree, MA 02184.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
HISTORY:
Last full publication provided in 76 FR 25409 dated May 4, 2011.
VA Appendix 5
1. VA Medicare and Medicaid Analysis Center, field unit of Office of Policy and Planning/Chief Strategy Office, 100 Grandview Road, Suite 114, Braintree, MA 02184.
2. Austin Information Technology Center, 1615 Woodward Street, Austin, TX 78772.
3. Other VA controlled systems.
[FR Doc. 2020-28342 Filed 12-22-20; 8:45 am]
BILLING CODE P