90 FR 156 pgs. 39475-39479 - Privacy Act of 1974; System of Records
Type: NOTICEVolume: 90Number: 156Pages: 39475 - 39479
Pages: 39475, 39476, 39477, 39478, 39479FR document: [FR Doc. 2025-15588 Filed 8-14-25; 8:45 am]
Agency: Veterans Affairs Department
Official PDF Version: PDF Version
[top]
DEPARTMENT OF VETERANS AFFAIRS
Privacy Act of 1974; System of Records
AGENCY:
Veterans Health Administration (VHA), Department of Veterans Affairs (VA).
ACTION:
Notice of a modified system of records.
SUMMARY:
Pursuant to the Privacy Act of 1974, notice is hereby given that the VA is modifying the system of records titled, "Veteran, Patient, Employee, and Volunteer Research and Development Project Records-VA" (34VA10). This system of records is used to determine eligibility for research funding, to determine handling of intellectual properties, to manage proposed and/or approved research endeavors, and to evaluate the research and development program. This system may also be used for data analysis to address specific questions and gain generalizable knowledge and deepen understanding of a topic or issue.
DATES:
Comments on this modified system of records must be received no later than 30 days after date of publication in the Federal Register . If no public comment is received during the period allowed for comment or unless otherwise published in the Federal Register by VA, the new system of records will become effective a minimum of 30 days after date of publication in the Federal Register . If VA receives public comments, VA shall review the comments to determine whether any changes to the notice are necessary.
ADDRESSES:
Comments may be submitted through www.Regulations.gov or mailed to VA Privacy Service, 810 Vermont Avenue NW, (005X6F), Washington, DC 20420. Comments should indicate that they are submitted in response to "Veteran, Patient, Employee, and Volunteer Research and Development Project Records-VA" (34VA10). Comments received will be available at regulations.gov for public viewing, inspection or copies.
FOR FURTHER INFORMATION CONTACT:
Stephania Griffin, VHA Chief Privacy Officer, 810 Vermont Avenue NW, (10DH03A), Washington, DC 20420, stephania.griffin@va.gov, telephone number 704-245-2492. ( Note: This is not a toll-free number).
SUPPLEMENTARY INFORMATION:
[top] VA is modifying this system of records by revising the System Location; System Manager; Records Source Categories; Routine Uses of Records Maintained in
The System Location is being updated to include that records are also located at the VA Enterprise Cloud Data Centers/Amazon Web Services, 1915 Terry Avenue, Seattle, WA 98101.
The System Manager has been updated to include VHAResearchPrivacy@va.gov.
The Records Source Categories has been updated to add research team members to, "(8) research and development investigators" as well as "(11) research sponsors and (12) other VA research subjects."
Policies and Practices for Retention and Storage of Records is being amended to state: "Records in this system are retained and disposed of in accordance with the schedule approved by the Archivist of the United States, VHA Records Control Schedule 10-1, Item Number 8300.6."
The following Routine Uses were updated for clarification purposes: Routine Use number 1 is being amended to state: "Governmental Agencies, Health Organizations, for Claimants' Benefits: VA may disclose information to Federal, state, and local government agencies and national health organizations as reasonably necessary to assist in the development of programs that will be beneficial to claimants, to protect their rights under law, and assure that they are receiving all benefits to which they are entitled.
Routine Use number 2 is being amended to state, "Law Enforcement: VA may disclose information that, either alone or in conjunction with other information, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, to a Federal, state, local, territorial, tribal, or foreign law enforcement authority or other appropriate entity charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing such law. The disclosure of the names and addresses of Veterans and their dependents from VA records under this routine use must also comply with the provisions of 38 U.S.C. 5701. If the disclosure is in response to a request from a law enforcement entity, the request must meet the requirements for a qualifying law enforcement request under the Privacy Act, 5 U.S.C. 552a(b)(7)."
Routine Use number 10 is being amended to state, "Former Employee or Contractor, Representative, for State Licensing Board Reporting: VA may disclose information to a former VA employee or contractor, as well as the authorized representative of a current or former employee or contractor of VA, in connection with or in consideration of reporting that the individual's professional health care activity so significantly failed to conform to generally accepted standards of professional medical practice as to raise reasonable concern for the health and safety of patients, to a Federal agency, a state or local government licensing board, or the Federation of State Medical Boards or a similar non-governmental entity that maintains records concerning individuals' employment histories or concerning the issuance, retention, or revocation of licenses, certifications, or registration necessary to practice an occupation, profession, or specialty."
Routine uses number 21 is being added to state, "Federal Agencies, for Research: VA may disclose information to a Federal agency for the purpose of conducting research and data analysis to perform a statutory purpose of that Federal agency upon the prior written request of that agency."
The Administrative, Technical, and Physical Safeguards section is being updated to include, "The system is hosted in Amazon Web Services Government Cloud infrastructure as a service cloud computing environment that has been authorized at the high-impact level under the Federal Risk and Authorization Management Program. The secure site-to-site encrypted network connection is limited to access via the VA trusted internet connection."
The Notification Procedures section is being updated to state "?"Individuals who wish to be notified if a record in this system of records pertains to them should submit the request following the procedures described in "Record Access Procedures," above."
The Report of Intent to Amend a System of Records Notice and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of the Office of Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.
Signing Authority
The Senior Agency Official for Privacy, or designee, approved this document and authorized the undersigned to sign and submit the document to the Office of the Federal Register for publication electronically as an official document of the Department of Veterans Affairs. Eddie Pool, Deputy Chief Information Officer, Connectivity and Collaboration Services, Performing the Delegable Duties of the Assistant Secretary for Information and Technology and Chief Information Officer, approved this document on June 10, 2025 for publication.
Dated: 8/13/2025.
Saurav Devkota,
Government Information Specialist, VA Privacy Service, Office of Compliance, Risk and Remediation, Office of Information and Technology, Department of Veterans Affairs.
SYSTEM NAME AND NUMBER:
"Veteran, Patient, Employee, and Volunteer Research and Development Project Records-VA" (34VA10)
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
Records are maintained at each Department of Veterans Affairs (VA) health care facility where the research project was conducted, at VA facilities where research administration or oversight activities occur, and at VA Central Office. Address locations are listed in VA Appendix 1 of the biennial Privacy Act Issuance publication. In addition, records are maintained at contractor and fieldwork sites as studies are developed, data collected, and reports written. Records are also located at the VA Enterprise Cloud/Amazon Web Services, 1915 Terry Avenue, Seattle, WA 98101.
SYSTEM MANAGER(S):
Director of Office of Research Protections, Policy and Education, VHAResearchPrivacy@va.gov or Office of Research and Development, Department of Veterans Affairs, 810 Vermont Ave. NW, Washington, DC 20420. Telephone number 202-443-5681. ( Note: this is not a toll-free number)
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
38 U.S.C. 7301.
PURPOSE(S) OF THE SYSTEM:
[top] The system may be used to determine eligibility for research funding, to determine handling of intellectual properties, to manage proposed and/or approved research endeavors, and to evaluate the research and development program. The system may also be used for data analysis to answer a specific question and obtain generalizable knowledge and increased understanding of a topic or issue.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
The following categories of individuals will be covered by this system: (1) Veterans; (2) patients; (3) employees; (4) volunteers ( e.g., caregivers, non-patient/non-Veterans, VA research subjects) in research projects being performed by VA, by a VA contractor or by another Federal agency in conjunction with VA; (5) members of research committee or subcommittees; and (6) research and development investigators and research and development employees.
CATEGORIES OF RECORDS IN THE SYSTEM:
Records, or information contained in records, vary according to the specific research involved or research related activity involved and may include: (1) Research on biomedical, prosthetic and health care services; (2) research stressing spinal cord injuries and diseases and other disabilities that tend to result in paralysis of the lower extremities; and (3) morbidity and mortality studies on former prisoners of war; (4) research related to injuries sustained while on active duty military service such as traumatic amputations, traumatic brain injury, and burns; (5) electronic or other databases containing research information developed during a research project(s) or for future research; (6) research information management systems such as the Research and Development Information System (RDIS); (7) copies of medical records of research participants; (8) merit review of the research projects; (9) review and evaluation of proposed research; (10) continuing review and oversight of ongoing research; (11) evaluations performed by research committees; (12) a review and evaluation of the research and development investigators and of the participants in the program; and (13) a contracted research review system. The review and evaluation information concerning the research and development investigators may include personal and educational background information as well as specific information concerning the type of research conducted. Invention records contain: a certification page, describing the place, time, research support related to the invention and co-inventors; Technology Transfer Program Invention Evaluation Sheet Internal or External Invention Assessment reports; RDIS reports or other research information management system reports contain compliance information involving research projects conduct, support and oversight; Correspondence; and the Office of General Counsel Letter of Determination.
RECORD SOURCE CATEGORIES:
(1) Patients and patient records, (2) employees and volunteers, (3) other Federal agencies, (4) National Institutes of Health, (5) Centers for Disease Control (Atlanta, Georgia), (6) individual Veterans, (7) other VA systems of records and information technology systems or databases, (8) research and development investigators and research team members, (9) research and development databases, (10) non-subjects, (11) research sponsors, and (12) other VA research subjects.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:
To the extent that records contained in the system include protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule that information cannot be disclosed under a routine use unless there is also specific statutory authority in 38 U.S.C. 7332 and regulatory authority in 45 CFR parts 160 and 164, permitting disclosure.
1. Governmental Agencies, Health Organizations, for Claimants' Benefits: To Federal, state, and local government agencies and national health organizations as reasonably necessary to assist in the development of programs that will be beneficial to claimants, to protect their rights under law, and assure that they are receiving all benefits to which they are entitled.
2. Law Enforcement Authorities, for Reporting Violations of Law: To a Federal, state, local, territorial, tribal, or foreign law enforcement authority or other appropriate entity charged with the responsibility of investigating or prosecuting a violation or potential violation of law, whether civil, criminal, or regulatory in nature, or charged with enforcing or implementing such law, provided that the disclosure is limited to information that, either alone or in conjunction with other information, indicates such a violation or potential violation. A disclosure of information about veterans or their dependents from VA claims files under this routine use must also comply with the requirements of 38 U.S.C. 5701(f).
3. Congress: To a Member of Congress or staff acting upon the Member's behalf when the Member or staff requests the information on behalf of, and at the request of, the individual who is the subject of the record.
4. National Archives and Records Administration (NARA): To NARA in records management inspections conducted under 44 U.S.C. 2904 and 2906, or other functions authorized by laws and policies governing NARA operations and VA records management responsibilities.
5. Researchers, for Research: To epidemiological and other research facilities approved by the Under Secretary for Health for research purposes determined to be necessary and proper, provided that the names and addresses of Veterans and their dependents will not be disclosed unless those names and addresses are first provided to VA by the facilities making the request.
6. Nonprofits, for Release of Name and Address: To a nonprofit organization if the release is directly connected with the conduct of programs and the utilization of benefits under title 38, provided that the disclosure is limited the names and addresses of present or former members of the armed services or their beneficiaries, the records will not be used for any purpose other than that stated in the request, and the organization is aware of the penalty provision of 38 U.S.C. 5701(f).
7. Federal Agencies, for VA Research: To conduct VA research, names, addresses, and Social Security Numbers may be disclosed to other Federal and state agencies for the purpose of the Federal or state agency disclosing information on the individuals back to VA.
8. General Public, Governmental and Non-governmental Agencies, and Commercial Organizations, from VA approved research: Upon request for research project data from VA approved research, the following information will be released to the general public, including governmental and non-governmental agencies and commercial organizations: Project title and number; name and educational degree of principal investigator unless the release of this information would place the investigator at risk (physical, professional, etc.); Veterans Health Administration medical center location; type (initial, progress, or final) and date of last report; name and educational degree of associate investigators unless the release of this information would place the investigator at risk (physical, professional, etc.); project abstract if the project is ongoing, and project summary if the project has been completed. In addition, upon specific request, keywords and indexing codes will be included for each project.
[top] 9. General Public, Governmental and Non-governmental Agencies, and Commercial Organizations, for VA employees: Upon request for
10. Former Employee or Contractor, Representative, for State Licensing Board (SLB) Reporting: VA may disclose information to a former VA employee or contractor, as well as the authorized representative of a current or former employee or contractor of VA, in connection with or in consideration of reporting that the individual's professional health care activity so significantly failed to conform to generally accepted standards of professional medical practice as to raise reasonable concern for the health and safety of patients, to a Federal agency, a state or local government licensing board, or the Federation of State Medical Boards or a similar non-governmental entity that maintains records concerning individuals' employment histories or concerning the issuance, retention, or revocation of licenses, certifications, or registration necessary to practice an occupation, profession, or specialty.
11. National Practitioner Data Bank (NPDB), for Hiring, Privileging: To the NPDB at the time of hiring or clinical privileging/re-privileging of health care practitioners, and other times as deemed necessary by VA, in order for VA to obtain information relevant to a Department decision concerning the hiring, privileging/re-privileging, retention, or termination of the applicant or employee.
12. NPDB, SLB, for Medical Malpractice: To the National Practitioner Data Bank or an SLB in the state in which a practitioner is licensed, in which the VA facility is located, or in which an act or omission occurred upon which a medical malpractice claim was based when VA reports information concerning: (1) Any payment for the benefit of a physician, dentist, or other licensed health care practitioner that was made as the result of a settlement or judgment of a claim of medical malpractice, if an appropriate determination is made in accordance with Department policy that payment was related to substandard care, professional incompetence, or professional misconduct on the part of the individual; (2) a final decision that relates to possible incompetence or improper professional conduct that adversely affects the clinical privileges of a physician or dentist for a period longer than 30 days; or (3) the acceptance of the surrender of clinical privileges or any restriction of such privileges by a physician or dentist, either while under investigation by the health care entity relating to possible incompetence or improper professional conduct, or in return for not conducting such an investigation or proceeding. These records may also be disclosed as part of a computer matching program to accomplish these purposes.
13. Qualified Reviewers, for Application Review Process: Information concerning individuals who have submitted research program proposals for funding, including the investigator's name, Social Security Number, research qualifications and the investigator's research proposal, may be disclosed to qualified reviewers for their opinion and evaluation of the applicants and their proposals as part of the application review process.
14. Department of Justice (DoJ) for Litigation or Administrative Proceeding: To the Department of Justice (DoJ), or in a proceeding before a court, adjudicative body, or other administrative body before which VA is authorized to appear, when any of the following is a party to such proceedings or has an interest in such proceedings, and VA determines that use of such records is relevant and necessary to the proceedings:
(a) VA or any component thereof;
(b) A VA employee in their official capacity;
(c) A VA employee in their individual capacity where DoJ has agreed to represent the employee; or
(d) The United States, where VA determines that litigation is likely to affect the agency or any of its components.
15. Affiliated Intellectual Property Partners: To affiliated intellectual property partners to aid in the possible use, interest in, or ownership rights in VA intellectual property.
16. Individual, Merit Review: To an individual concerning merit review of proposals submitted by that individual, except that information concerning a third party, such as the name or other identifying information about the qualified reviewer of the proposal.
17. Federal Agencies, Fraud and Abuse: To other Federal agencies to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.
18. Data Breach Response and Remediation, for VA: To appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that there has been a breach of the system of records, (2) VA has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, VA (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with VA's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.
19. Contractors: To contractors, grantees, experts, consultants, students, and others performing or working on a contract, service, grant, cooperative agreement, or other assignment for VA, when reasonably necessary to accomplish an agency function related to the records.
20. Data Breach Response and Remediation, for Another Federal Agency: To another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.
21. Federal Agencies, for Research: To a Federal agency for the purpose of conducting research and data analysis to perform a statutory purpose of that Federal agency upon the prior written request of that agency.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
Records are stored in (1) Paper documents, (2) microscope slides, (3) magnetic tape or disk or other electronic media, (4) photographs, (5) microfilm, (6) web-based cloud storage systems, and (7) recordings (audio and video).
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
Records are retrieved by individual identifiers and indexed by a specific project site or location, project number, or under the name of the research or development investigator.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
[top] Records in this system are retained and disposed of in accordance with the
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
VA will maintain the data in compliance with applicable VA security policy directives that specify the standards that will be applied to protect sensitive personal information. Access to VA working space and medical record storage areas is restricted to VA employees on a "need-to-know" basis.
Generally, VA file areas are locked after normal duty hours and protected from outside access by the Federal Protective Service. Employee file records and file records of public figures or otherwise sensitive medical record files are stored in separate locked files. Access to automated information systems is protected by an approved form of two factor authentication and communications are encrypted at rest and in transit.
Access to a contractor's records and their system of computers used with the particular project are available to authorized personnel only. Records on investigators stored on automated storage media are accessible by authorized VA personnel via VA computers or computer systems. They are required to take annual VA mandatory data privacy and security training. Security complies with applicable Federal Information Processing Standards issued by the National Institute of Standards and Technology. Contractors and their subcontractors who access the data are required to maintain the same level of security as VA employees.
The system is hosted in Amazon Web Services Government Cloud infrastructure as a service cloud computing environment that has been authorized at the high-impact level under the Federal Risk and Authorization Management Program. The secure site-to-site encrypted network connection is limited to access via the VA trusted internet connection.
RECORD ACCESS PROCEDURE:
Individuals seeking information regarding the existence and content of records in this system related to research project submissions or participation in research projects may write, call or visit the VA location where the records were initially generated. A request for access to records must contain the requester's full name, address, telephone number, be signed by the requester, and describe the records sought in sufficient detail to enable VA personnel to locate them with a reasonable amount of effort.
CONTESTING RECORD PROCEDURES:
Individuals seeking to contest or amend records in this system related to research project submissions or participation in research projects may write, call or visit the VA location where the records were initially generated. A request to contest or amend records must state clearly and concisely what record is being contested, the reasons for contesting it, and the proposed amendment to the record.
NOTIFICATION PROCEDURE:
Individuals who wish to be notified if a record in this system of records pertains to them should submit the request following the procedures described in "Record Access Procedures," above.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
HISTORY:
40 FR 38095 (August 26, 1975), 59 FR 16705 (March 27, 2001), 75 FR 29818 (May 27, 2010), 86 FR 33015 (June 23, 2021).
[FR Doc. 2025-15588 Filed 8-14-25; 8:45 am]
BILLING CODE 8320-01-P