89 FR 37 pgs. 13806-13809 - Privacy Act of 1974; System of Records
Type: NOTICEVolume: 89Number: 37Pages: 13806 - 13809
Pages: 13806, 13807, 13808, 13809FR document: [FR Doc. 2024–03715 Filed 2–22–24; 8:45 am]
Agency: Veterans Affairs Department
Official PDF Version: PDF Version
[top]
DEPARTMENT OF VETERANS AFFAIRS
Privacy Act of 1974; System of Records
AGENCY:
Veterans Health Administration (VHA), Department of Veterans Affairs (VA).
ACTION:
Notice of a modified system of records.
SUMMARY:
Pursuant to the Privacy Act of 1974, notice is hereby given that the VA is modifying the system of records titled, "My Health e Vet Administrative Records-VA" (130VA10P2). This system is used to administer the My Health e Vet program, including registration and verification of Veteran identities or to register and authenticate those who have legal authority to participate in lieu of Veterans. It is also used to assign and verify administrators of the My Health e Vet portal, retrieve Veteran information to perform specific functions, and to allow access to specific information while providing other associated My Health e Vet electronic services in current and future program applications.
DATES:
Comments on this amended system of records must be received no later than 30 days after date of publication in the Federal Register . If no public comment is received during the period allowed for comment or unless otherwise published in the Federal Register by the VA, the modified system of records will become effective a minimum of 30 days after date of publication in the Federal Register . If VA receives public comments, VA shall review the comments to determine whether any changes to the notice are necessary.
ADDRESSES:
Comments may be submitted through www.Regulations.gov or mailed to VA Privacy Service, 810 Vermont Avenue NW, (005X6F), Washington, DC 20420. Comments should indicate that they are submitted in response to "My Health e Vet Administrative Records-VA" (130VA10P2). Comments received will be available at regulations.gov for public viewing, inspection or copies.
FOR FURTHER INFORMATION CONTACT:
Stephania Griffin, VHA Chief Privacy Officer, 810 Vermont Avenue NW, Washington, DC 20420; telephone 704-245-2492 (Note: this is not a toll-free number).
SUPPLEMENTARY INFORMATION:
VA is amending the system of records by revising the System Number; System Location; Purpose of the System; Records Source Categories; Categories of Individuals Covered by the System; Categories of Records in the System; Routine Uses of Records Maintained in the System; Policies and Practices for Retrieval of Records; Policies and Practices for Retention and Disposal of Records; Administrative, Technical and Physical Safeguards; Record Access Procedure; Contesting Records Procedures; and Notification Procedure. VA is republishing the system notice in its entirety.
The System Number is changed from 130VA10P2 to 130VA10 to reflect the current organizational alignment.
The System Location is being amended to remove the VA National Data Centers and the contracted data storage system located in Culpepper, Virginia. Replacing this section is, "VA Enterprise Cloud Data Centers/Amazon Web Services, 1915 Terry Avenue, Seattle, WA 98101, and the VA Health Data Repository, 1615 Woodward Street, Austin, TX 78741."
The Purpose of the System is being amended to include, "administrative information may also be used for My Health e Vet help desk and staff to troubleshoot issues."
The Categories of Individuals Covered by the System number 3 is being amended to include " i.e., Secure Messaging Administrators, My Health e Vet Coordinators, Role Administrators, VA Health Resource Center helpdesk staff." This section will remove number 5 stating, "VA researchers fulfilling VA required authorization procedures."
[top] The Categories of Records in the System section is being amended to remove mother's maiden name. This section is being updated to reflect the following language: "These records include the following information for My Health e Vet users: name, birth sex, date of birth, social security number, ZIP code, email profile, secure messaging email address, user identification, internal control number, reference number, date of account creation, account status, match status, date and time of match, correlation status, Master Person Index (MPI)
The My Health e Vet Staff ( i.e., Coordinators and Providers) records include the following identification information: "name, work telephone number, work email, VA network identification, job title, office and department, login date and time, web analytics for the purpose of monitoring site usage, My Health e Vet portal access termination date, role and role level, and user DUZ (number)."
In the Records Source Categories section, number 2 is being updated to include delegates; number 3 will be updated to include administrative staff; number 4 is being updated to include developers and testers; number 5 is being updated to include MPI. Number 6 is being removed, "VA researchers fulfilling VA required authorization procedures in VHA Directive 1200.01(1)".
Routine use number 10 is being added to state, "To another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (a) responding to a suspected or confirmed breach or (b) preventing, minimizing or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach."
Routine use number 11 is being added to state, "VHA may disclose a My Health e Vet account user's information to a family member or friend after receiving the verbal permission of the My Health e Vet account user."
Routine use number 12 is being added to state, "To officials of labor organizations recognized under 5 U.S.C. chapter 71 provided that the disclosure is limited to information identified in 5 U.S.C. 7114(b)(4) that is relevant and necessary to their duties of exclusive representation concerning personnel policies, practices and matters affecting working conditions."
Policies and Practices for Retrieval of Records is being updated to include "electronic data interchange personal identifier."
Policies and Practices for Retention and Disposal of Records is being updated to remove, "Records from this system that are needed for audit purposes will be retained for at least six (6) years after a user's account becomes inactive. Routine records will be disposed of when the agency determines they are no longer needed for administrative, legal, audit, research, or other operational purposes, but no less than six (6) years from date of last account activity." This section is also being amended to include the Record Control Schedule (RCS) and Item Number(s).
Administrative, Technical and Physical Safeguards is being updated to include number 5, "VA Enterprise Cloud data storage conforms to security protocols as stipulated in VA Directives 6500 and 6517. Access control standards are stipulated in specific agreements with cloud vendors to restrict and monitor access."
Record Access Procedures is being amended to state, "Individuals seeking information on the existence and content of records in this system pertaining to them should contact the system manager in writing as indicated above, or may write or visit the VA facility location where they normally receive their care. A request for access to records must contain the requester's full name, address, telephone number, be signed by the requester, and describe the records sought in sufficient detail to enable VA personnel to locate them with a reasonable amount of effort."
Contesting Record Procedures is being amended to state, "Individuals seeking to contest or amend records in this system pertaining to them should contact the system manager in writing as indicated above, or may write or visit the VA facility location where they normally receive their care. A request to contest or amend records must state clearly and concisely what record is being contested, the reasons for contesting it, and the proposed amendment to the record."
Notification Procedure is being amended to state, "Generalized notice is provided by the publication of this notice. For specific notice, see Record Access Procedure, above."
The Report of Intent to Amend a System of Records Notice and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of the Office of Management and Budget (OMB) as required by 5 U.S.C. 552al (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.
Signing Authority
The Senior Agency Official for Privacy, or designee, approved this document and authorized the undersigned to sign and submit the document to the Office of the Federal Register for publication electronically as an official document of the Department of Veterans Affairs. Kurt D. DelBene, Assistant Secretary for Information and Technology and Chief Information Officer, approved this document on January 18, 2024 for publication.
Dated: February 20, 2024.
Amy L. Rose,
Government Information Specialist, VA Privacy Service, Office of Compliance, Risk and Remediation, Office of Information and Technology, Department of Veterans Affairs.
SYSTEM NAME AND NUMBER:
"My Health e Vet Administrative Records-VA" (130VA10).
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
Records are maintained at Veterans Health Administration (VHA) facilities, Department of Veterans Affairs (VA) Enterprise Cloud Data Centers/Amazon Web Services, 1915 Terry Avenue, Seattle, WA 98101, and the VA Health Data Repository, 1615 Woodward Street, Austin, TX 78741. Address locations for VHA facilities are listed in VA Appendix 1 of the biennial publications of the VA system of records.
SYSTEM MANAGER(S):
Official responsible for policies and procedures: Director of Veterans and Consumers Health Informatics Office, 8455 Colesville Road, Suite 1200, Silver Spring, Maryland 20910. Officials maintaining this system of record: VHA facilities (address locations for VHA facilities are listed in VA Appendix 1 of the biennial publications of the VA system of records) and the My Health e Vet Chief Information Officer, 550 Foothill Drive, Suite 400, Salt Lake City, Utah 84113.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
38 U.S.C. 501.
PURPOSE(S) OF THE SYSTEM:
[top] The purpose of this system of records is to administer the My Health e Vet program, including registration and verification of Veteran identities or to register and authenticate those who have legal authority to participate in lieu of Veterans. It is also used to assign and verify administrators of the My Health e Vet portal, retrieve Veteran information to perform specific functions, and to allow access to specific information while providing other associated My Health e Vet electronic services in current and future program applications. The
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
Individuals covered by this system encompass: (1) All individuals who successfully register for a My Health e Vet account and whose identity has been verified; (2) Representatives of the above individuals who have been provided Delegate access to My Health e Vet including, but not limited to, Power of Attorney (POA), legal guardian, or VA and non-VA health care providers; (3) VA health care providers and certain administrative staff ( i.e. , Secure Messaging Administrators, My Health e Vet Coordinators, Role Administrators, VA Health Resource Center helpdesk staff etc.); and (4) VA Office of Information and Technology (OIT) staff and/or their approved contractors who may need to enter identifying, administrative information into the system to initiate, support and maintain electronic services for My Health e Vet participants.
CATEGORIES OF RECORDS IN THE SYSTEM:
These records include the following information for My Health e Vet users: name, birth sex, date of birth, social security number, ZIP code, email profile, secure messaging email address, user identification, internal control number, reference number, date of account creation, account status, match status, date and time of match, correlation status, Master Person Index (MPI) authentication status, date of death from MPI, login date and time, deactivation date and time, deactivation description and status, place and date of registration, user block access and comments, and delegate user identification associated with My Health e Vet accounts.
The My Health e Vet Staff ( i.e., Coordinators and Providers) records include the following identification information: name, work telephone number, work email, VA network identification, job title, office and department, login date and time, web analytics for the purpose of monitoring site usage, My Health e Vet portal access termination date, role and role level, and user DUZ (number).
RECORD SOURCE CATEGORIES:
Record sources include the individuals covered by this notice and an additional contributor, as listed below:
(1) All individuals who successfully register for a My Health e Vet account;
(2) Representatives of the above individuals who have been provided access to the private health space by the Veteran user, including but not limited to, POA, or VA, non-VA health care providers, and delegates;
(3) VA health care providers and administrative staff;
(4) VA OIT staff and/or their contractors and subcontractors, developers and testers who may need to enter information into the system to initiate, support and maintain My Health e Vet electronic services for My Health e Vet users;
(5) Veterans Health Information Systems and Technology Architecture (VistA), MPI and other VA Information Technology systems.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:
To the extent that records contained in the system include information protected by the HIPAA Privacy Rule and 38 U.S.C. 7332, that information cannot be disclosed under a routine use unless there is also specific statutory authority in both provisions.
1. Contractors: To contractors, grantees, experts, consultants, students, and others performing or working on a contract, service, grant, cooperative agreement, or other assignment for VA, when reasonably necessary to accomplish an agency function related to the records.
2. Law Enforcement: To a Federal, state, local, territorial, tribal or foreign law enforcement authority or other appropriate entity charged with the responsibility of investigating or prosecuting a violation or potential violation of law, whether civil, criminal, or regulatory in nature, or charged with enforcing or implementing such law, provided that the disclosure is limited to information that, either alone or in conjunction with other information, indicates such a violation. The disclosure of the names and addresses of Veterans and their dependents from VA records under this routine use must also comply with the provisions of 38 U.S.C. 5701.
3. National Archives and Records Administration (NARA): To the NARA in records management inspections conducted under 44 U.S.C. 2904 and 2906, or other functions authorized by laws and policies governing NARA operations and VA records management responsibilities.
4. Department of Justice (DoJ), Litigation, Administrative Proceeding: To the DoJ, or in a proceeding before a court, adjudicative body, or other administrative body before which VA is authorized to appear, when:
(a) VA or any component thereof;
(b) Any VA employee in his or her official capacity;
(c) Any VA employee in his or her individual capacity where DoJ has agreed to represent the employee; or
(d) The United States, where VA determines that litigation is likely to affect the agency or any of its components is a party to such proceedings or has an interest in such proceedings, and VA determines that use of such records is relevant and necessary to the proceedings.
5. Congress: To a Member of Congress or staff acting upon the Member's behalf when the Member or staff requests the information on behalf of, and at the request of, the individual who is the subject of the record.
6. Federal Agencies, Fraud and Abuse: To other Federal agencies to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.
7. Data Breach Response and Remediation, for VA: To appropriate agencies, entities and persons when (a) VA suspects or has confirmed that there has been a breach of the system of records; (b) VA has determined that as a result of the suspected or confirmed breach there is a risk to individuals, VA (including its information systems, programs and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities or persons is reasonably necessary to assist in connection with VA efforts to respond to the suspected or confirmed breach or to prevent, minimize or remedy such harm.
8. Researchers, for Research: To epidemiological and other research facilities approved by the Under Secretary for Health for research purposes determined to be necessary and proper, provided that the names and addresses of Veterans and their dependents will not be disclosed unless those names and addresses are first provided to VA by the facilities making the request.
[top] 9. Federal Agencies, for Research: To a Federal agency for the purpose of conducting research and data analysis to
10. Data Breach Response and Remediation, for Another Federal Agency: To another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (a) responding to a suspected or confirmed breach or (b) preventing, minimizing or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.
11. Family Member: VHA may disclose a My Health e Vet account user's information to a family member or friend after receiving the verbal permission of the My Health e Vet account user.
12. Unions, for Representation: To officials of labor organizations recognized under 5 U.S.C. Chapter 71 provided that the disclosure is limited to information identified in 5 U.S.C. 7114(b)(4) that is relevant and necessary to their duties of exclusive representation concerning personnel policies, practices and matters affecting working conditions.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
Records are maintained on paper and electronic media, including hard drive disks, which are backed up to tape at regular intervals.
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
Records may be retrieved by an individual's name, user identification, date of registration for My Health e Vet electronic services, ZIP code, electronic data interchange personal identifier, the VA assigned Integration Control Number (ICN), date of birth and/or Social Security Number, if provided.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
Records in this system are retained and disposed of in accordance with the schedule approved by the Archivist of the United States, General Records Schedule 3.2 Item 031.
ADMINISTRATIVE, TECHNICAL AND PHYSICAL SAFEGUARDS:
1. Access to and use of the My Health e Vet Administrative Records are limited to those persons whose official duties require such access. VA has established security controls and procedures to ensure that access is appropriately limited. Information System Security Officers and system data stewards review and authorize data access requests. VA regulates data access with security software that authenticates My Health e Vet administrative users and requires individually unique codes and passwords. VA provides Information Security training to all staff and instructs staff on the responsibility each person has for safeguarding data confidentiality. VA regularly updates security standards and procedures that are applied to systems and individuals supporting this program.
2. Physical access to computer rooms housing the My Health e Vet Administrative Records is restricted to authorized staff and protected by a variety of security devices. The Federal Protective Service or other security personnel provide physical security for the buildings housing computer systems and data centers.
3. Data transmissions between operational systems and My Health e Vet Administrative Records maintained by this system of records are protected by telecommunications security software and hardware as prescribed by Federal security and privacy laws as well as VA standards and practices. This includes firewalls, encryption and other security measures necessary to safeguard data as it travels across the VA Wide Area Network.
4. Copies of back-up computer files are maintained at secure off-site locations.
5. VA Enterprise Cloud data storage conforms to security protocols as stipulated in VA Directives 6500 and 6517. Access control standards are stipulated in specific agreements with cloud vendors to restrict and monitor access.
RECORD ACCESS PROCEDURES:
Individuals seeking information on the existence and content of records in this system pertaining to them should contact the system manager in writing as indicated above or write or visit the VA facility location where they normally receive their care. A request for access to records must contain the requester's full name, address, telephone number, be signed by the requester, and describe the records sought in sufficient detail to enable VA personnel to locate them with a reasonable amount of effort.
CONTESTING RECORD PROCEDURES:
Individuals seeking to contest or amend records in this system pertaining to them should contact the system manager in writing as indicated above or inquire in person at the VA health care facility they normally receive their care. A request to contest or amend records must state clearly and concisely what record is being contested, the reasons for contesting it, and the proposed amendment to the record.
NOTIFICATION PROCEDURES:
Generalized notice is provided by the publication of this notice. For specific notice, see Record Access Procedure, above.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
HISTORY:
75 FR 70365 (November 17, 2010); 81 FR 58005 (August 24, 2016).
[FR Doc. 2024-03715 Filed 2-22-24; 8:45 am]
BILLING CODE 8320-01-P