90 FR 156 pgs. 39485-39490 - Privacy Act of 1974; System of Records
Type: NOTICEVolume: 90Number: 156Pages: 39485 - 39490
Pages: 39485, 39486, 39487, 39488, 39489, 39490FR document: [FR Doc. 2025-15590 Filed 8-14-25; 8:45 am]
Agency: Veterans Affairs Department
Official PDF Version: PDF Version
[top]
DEPARTMENT OF VETERANS AFFAIRS
Privacy Act of 1974; System of Records
AGENCY:
Veterans Health Administration (VHA), Department of Veterans Affairs (VA).
ACTION:
Notice of a modified system of records.
SUMMARY:
[top] Pursuant to the Privacy Act of 1974, notice is hereby given that VA is modifying the system of records titled, "Non-VA Care (Fee) Records-VA" (23VA10NB3). This system is used to establish, determine, and monitor
DATES:
Comments on this new system of records must be received no later than 30 days after the date of publication in the Federal Register . If no public comment is received during the period allowed for comment or unless otherwise published in the Federal Register by VA, the new system of records will become effective a minimum of 30 days after date of publication in the Federal Register . If VA receives public comments, VA shall review the comments to determine whether any changes to the notice are necessary.
ADDRESSES:
Comments may be submitted through www.Regulations.gov or mailed to VA Privacy Service, 810 Vermont Avenue NW, (005X6F), Washington, DC 20420. Comments should indicate that they are submitted in response to "Non-VA Care (Fee) Records-VA" (23VA10NB3). Comments received will be available at regulations.gov for public viewing, inspection, or copies.
FOR FURTHER INFORMATION CONTACT:
Stephania Griffin, VHA Chief Privacy Officer, 810 Vermont Avenue NW, (10DH03) Washington, DC 20420, Stephania.Griffin@va.gov, or at telephone number 704-245-2492 ( Note: This is not a toll-free number.)
SUPPLEMENTARY INFORMATION:
VA is modifying the system of records by revising the System Number; System Location; System Manager; Routine Uses of Records Maintained in the System, including Categories of Users and the Purposes of such Uses; Policies and Practices for Storage of Records; Policies and Practices for Retention and Disposal of Records; and Administrative, Technical, and Physical Safeguards, and Notification Procedure. VA is republishing the system of records notice in its entirety.
The System Number is being updated from 23VA10NB3 to 23VA10 to reflect the current VHA organizational routing symbol.
The System Location and System Manager are being amended to replace "VA Chief Business Office Purchased Care (CBOPC), Denver, Colorado" with "VHA Office of Finance, Payment Operations, Washington, DC."
The following Routine Uses were updated for clarification purposes:
1. Routine Use number 10 is being amended to state: "To: (a) a Federal agency or a health care provider when VA refers a patient for medical and other health services, or authorizes a patient to obtain such services and the information is needed by the Federal agency or health care provider to perform the services; or (b) a Federal agency or a health care provider under the provisions of 38 U.S.C. 513, 7409, 8111, or 8153, when treatment is rendered by VA under the terms of such contract or agreement or the issuance of an authorization, and the information is needed for purposes of medical treatment or follow-up, determination of eligibility for benefits, or recovery by VA of the costs of the treatment."
2. Routine Use number 26 is being amended to state: "To survey teams of the Joint Commission on Accreditation of Healthcare Organizations, College of American Pathologists, American Association of Blood Banks, and similar national accreditation agencies or boards with which VA has a contract or agreement to conduct such reviews, as relevant and necessary for the purpose of program review or the seeking of accreditation or certification."
3. Routine Use number 32 is added to state, "To another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (a) responding to a suspected or confirmed breach or (b) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach."
4. Routine Use number 33 is added to state, "To the Federal Labor Relations Authority in connection with the investigation and resolution of allegations of unfair labor practices, the resolution of exceptions to arbitration awards when a question of material fact is raised, matters before the Federal Service Impasses Panel, and the investigation of representation petitions and the conduct or supervision of representation elections."
The Policies and Practices for Storage of Records is being updated to include that backup data is stored in a web based cloud storage system. This section will replace CBOPC with VHA Office of Finance, Payment Operations.
Policies and Practices for Retention and Disposal of Records is being updated to remove, "Paper and electronic documents at the authorizing health care facility related to authorizing the Non-VA Care (fee) and the services authorized, billed, and paid for are maintained in "Patient Medical Records-VA" (24VA10P2). These records are retained at health care facilities for a minimum of 3 years after the last episode of care. After the third year of inactivity the paper records are transferred to a records facility for 72 more years of storage. Automated storage media, imaged Non-VA Care (fee) claims, and other paper documents that are included in this system of records and not maintained in "Patient Medical Records-VA" (24VA10P2) are retained and disposed of in accordance with disposition authority approved by the Archivist of the United States. Paper records that are imaged for viewing electronically are destroyed after they have been scanned and the electronic copy is determined to be an accurate and complete copy of the paper record imaged." This section will now state that "Records in this system are retained and disposed of in accordance with the schedule approved by the Archivist of the United States, Records Control Schedule 10-1 items 6000.9".
The Administrative, Technical, and Physical Safeguards section is being updated to include number 7, which states "VA Enterprise Cloud data storage conforms to security protocols as stipulated in VA Directives 6500 and 6517. Access control standards are stipulated in specific agreements with Cloud vendors to restrict and monitor access".
The Notification Procedure Section is being modified to state "Individuals who wish to be notified if a record in this system of records pertains to them should submit the request following the procedures described in "Record Access Procedures," above."
Signing Authority
The Senior Agency Official for Privacy, or designee, approved this document and authorized the undersigned to sign and submit the document to the Office of the Federal Register for publication electronically as an official document of the Department of Veterans Affairs. Eddie Pool, Deputy Chief Information Officer, Connectivity and Collaboration Services, Performing the Delegable Duties of the Assistant Secretary for Information and Technology and Chief Information Officer, approved this document on June 9, 2025 for publication.
Dated: August 13, 2025.
Saurav Devkota,
Government Information Specialist, VA Privacy Service, Office of Compliance, Risk and Remediation, Office of Information and Technology, Department of Veterans Affairs.
SYSTEM NAME AND NUMBER:
[top] "Non-VA Care (Fee) Records-VA" (23VA10).
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
Paper and electronic records, including electronic images of Non-VA Care (fee) claims are maintained at the authorizing VA health care facility; the VA Financial Services Center (FSC), Austin, Texas; Austin Information Technology Center (AITC), Austin, Texas; and Federal record centers. Information is also stored in automated storage media records that are maintained at the authorizing Department of Veterans Affairs (VA) medical facility; Veterans Health Administration (VHA) Office of Finance, Payment Operations, Washington, DC, VA Headquarters, Washington, DC; VA Allocation Resource Center (ARC), Braintree, Massachusetts; VA Office of Information Field Offices (OIFO). Address locations for VA facilities are listed in VA Appendix 1 of the biennial Privacy Act Issuances publication.
SYSTEM MANAGER(S):
Executive Director, VHA Office of Finance, Payment Operations, VHA104financefrontofficestaff@va.gov, Department of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
5 U.S.C. 301; 26 U.S.C. 61; and 38 U.S.C. 31, 109, 111, 501, 1151 1703, 1705, 1710, 1712, 1717, 1720, 1721, 1724, 1725, 1727, 1728,1741-1743, 1781, 1786, 1787, 3102, 5701(b)(6), 5701(g)(2), 5701(g)(4), 5701(c)(1), 5724, 7105, 7332, and 8131-8137. 38 CFR 2.6 and 45 CFR part 160 and 164. 44 U.S.C.; 45 U.S.C.; and Veterans Access, Choice, and Accountability Act of 2014.
PURPOSE(S) OF THE SYSTEM:
Records may be used to establish, determine, and monitor eligibility to receive VA benefits and for authorizing and paying non-VA health care services furnished to veterans and beneficiaries. Other uses of this information include reporting health care provider earnings to the Internal Revenue Service; for third party liability issues, including preparing responses to inquiries; performing statistical analyses for use in managerial activities, including resource allocation and planning; processing and adjudicating administrative benefit claims by Veterans Benefits Administration (VBA) Regional Office staff; conducting audits, reviews, and investigations by staff of the VA medical facility, Veterans Integrated Service Network (VISN) Offices, VA FSC, VA Headquarters, and VA's Office of Inspector General; in the conduct of law enforcement investigations; and in the performance of quality assurance audits, reviews, and investigations.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
1. Veterans who seek health care services under 38 U.S.C. Ch. 17.
2. Beneficiaries of other Federal agencies' authorized VA medical services.
3. Pensioned members of allied forces seeking health care services under 38 U.S.C. 109.
4. Health care providers treating individuals who receive care under 38 U.S.C. Ch. 1 and 17.
CATEGORIES OF RECORDS IN THE SYSTEM:
Records maintained in this system include application, eligibility, and claim information regarding payment determination for medical services provided to VA beneficiaries by non-VA health care institutions and providers. Application and eligibility data may include personal information of the claimant ( e.g., name, address, Social Security number, date of birth, date of death, VA claim number, other health insurance data); description of VA adjudicated compensable or non-compensable medical conditions; and military service data ( e.g., dates, branch and character of service, medical information). Claim data in this system may include information needed to properly consider claims for payment such as an Explanation of Benefits; description of the medical conditions treated and services provided; authorization and treatment dates; amounts claimed for health care services; health records, including films; and payment information ( e.g., invoice number, account number, date of payment, payment amount, check number, payee identifiers). Additional information may include the health care provider's name, address, and taxpayer identification number; correspondence concerning individuals and documents pertaining to claims for medical services; reasons for denial of payment; and appellate determinations.
RECORD SOURCE CATEGORIES:
The veteran or other VA beneficiary, family members, or accredited representatives, and other third parties; military service departments; private medical facilities and health care professionals; electronic trading partners; other Federal agencies; VHA facilities and automated systems; VBA facilities and automated systems; VA FSC facility and automated systems; and deployment status and availability.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:
To the extent that records contained in the system include information protected by the Health Insurance Portability and Accountability Act Privacy Rule and 38 U.S.C. 7332, that information cannot be disclosed under a routine use unless there is also specific statutory authority in both provisions.
1. To a Federal, state, local, territorial, tribal, or foreign law enforcement authority or other appropriate entity charged with the responsibility of investigating or prosecuting a violation or potential violation of law, whether civil, criminal, or regulatory in nature, or charged with enforcing or implementing such law, provided that the disclosure is limited to information that, either alone or in conjunction with other information, indicates such a violation or potential violation. The disclosure of the names and addresses of veterans and their dependents from VA records under this routine use must also comply with the provisions of 38 U.S.C. 5701(f).
2. To a Federal, state, or local governmental agency, maintaining civil, criminal, or other relevant information, such as current licenses, registration or certification, if necessary, to obtain information relevant to an agency decision concerning the hiring or retention of an employee, the use of an individual as a consultant, attending or to provide non-VA care (fee), the issuance of a security clearance, the letting of a contract, or the issuance of a license, grant, or other health, educational, or welfare benefits. Any information in this system also may be disclosed to any of the above-listed governmental organizations as part of a series of ongoing computer matches to determine if VA health care practitioners and private practitioners VA uses VA hold current, unrestricted licenses, or are currently registered in a state, and are board certified in their specialty, if any.
3. To a Federal agency, except the United States Postal Service, or to the District of Columbia government, in response to its request, in connection with that agency's decision on the hiring, transfer, or retention of an employee, the issuance of a security clearance, the letting of a contract, or the issuance of a license, grant, or other benefit by that agency.
[top] 4. To the Department of the Treasury to facilitate payments to physicians, clinics, and pharmacies for
5. To a Member of Congress or staff acting upon the Member's behalf when the Member or staff requests the information on behalf of, and at the request of, the individual who is the subject of the record.
6. To the National Archives and Records Administration (NARA) in records management inspections conducted under 44 U.S.C. 2904, 2906, or other functions authorized by laws and policies governing NARA operations and VA records management responsibilities.
7. To a Federal agency, a state or local government licensing board, the Federation of State Medical Boards, or a similar non-governmental entity that maintains records concerning individuals' employment histories or concerning the issuance, retention, or revocation of licenses, certifications, or registration necessary to practice an occupation, profession, or specialty, to inform such non-governmental entities about the health care practices of a terminated, resigned, or retired health care employee whose professional health care activity so significantly failed to conform to generally accepted standards of professional medical practice as to raise reasonable concern for the health and safety of patients in the private sector or from another Federal agency. These records may also be disclosed as part of an ongoing computer matching program to accomplish these purposes.
8. To the National Practitioner Data Bank at the time of hiring or clinical privileging/re-privileging of health care practitioners, and other times as VA deems necessary, in order for VA to obtain information relevant to a Department decision concerning the hiring, privileging/re-privileging, retention, or termination of the applicant or employee.
9. To the National Practitioner Data Bank or a state licensing board in the state in which a practitioner is licensed, in which the VA facility is located, or in which an act or omission occurred upon which a medical malpractice claim was based when VA reports information concerning:
(a) Any payment for the benefit of a physician, dentist, or other licensed health care practitioner that was made as the result of a settlement or judgment of a claim of medical malpractice, if an appropriate determination is made in accordance with Department policy that payment was related to substandard care, professional incompetence, or professional misconduct on the part of the individual;
(b) A final decision that relates to possible incompetence or improper professional conduct that adversely affects the clinical privileges of a physician or dentist for a period longer than 30 days; or
(c) The acceptance of the surrender of clinical privileges or any restriction of such privileges by a physician or dentist, either while under investigation by the health care entity relating to possible incompetence or improper professional conduct, or in return for not conducting such an investigation or proceeding. These records may also be disclosed as part of a computer matching program to accomplish these purposes.
10. To:
(a) a Federal agency or a health care provider when VA refers a patient for medical and other health services, or authorizes a patient to obtain such services and the information is needed by the Federal agency or health care provider to perform the services; or
(b) a Federal agency or a health care provider under the provisions of 38 U.S.C. 513, 7409, 8111, or 8153, when VA renders treatment under the terms of such contract or agreement or the issuance of an authorization and the information is needed for purposes of medical treatment or follow-up, determination of eligibility for benefits, or recovery by VA of the costs of the treatment.
11. To the Department of the Treasury to report calendar year earnings of $600 or more for income tax reporting purposes.
12. To another Federal agency for its use in identifying potential duplicate payments for health care services VA and that agency paid for. Information disclosed may include the name, date of birth, Social Security number of a veteran or beneficiary, and any other identifying and claim information as is reasonably necessary, such as provider identification, description of services furnished, and VA payment amount, may be disclosed This information may also be disclosed as part of a computer matching agreement to accomplish this purpose.
13. To contractors, grantees, experts, consultants, students, and others performing or working on a contract, service, grant, cooperative agreement, or other assignment for VA, when reasonably necessary to accomplish an agency function related to the records.
14. To attorneys, insurance companies, employers, third parties liable or potentially liable under health plan contracts, and courts, boards, or commissions as relevant and necessary to aid VA in the preparation, presentation, and prosecution of claims authorized by law.
15. To the Department of Justice or in a proceeding before a court, adjudicative body, or other administrative body before which VA is authorized to appear, when any of the following is a party to such proceedings or has an interest in such proceedings, and VA determines that the use of such records is relevant and necessary to the proceedings:
(a) VA or any component thereof;
(b) Any VA employee in their official capacity;
(c) Any VA employee in their individual capacity where the Department of Justice has agreed to represent the employee; or
(d) The United States, where VA determines that litigation is likely to affect the agency or any of its components.
16. Any information in this system may be disclosed in connection with any proceeding for the collection of an amount owed to the United States by virtue of a person's participation in any benefit program VHA administered when in the judgment of the Secretary, or an official generally delegated such authority under standard agency delegation of authority rules (38 CFR 2.6), such disclosure is deemed necessary and proper, in accordance with 38 U.S.C. 5701(b)(6).
17. To a consumer reporting agency for the purpose of locating the individual, obtaining a consumer report to determine the ability of the individual to repay an indebtedness to the United States, or assisting in the collection of such indebtedness, provided that the provisions of 38 U.S.C. 5701(g)(2) and (g)(4) have been met, provided that the disclosure is limited to information that is reasonably necessary to identify such individual or concerning that individual's indebtedness to the United States by virtue of the person's participation in a benefits program the Department administered.
18. In response to an inquiry about a named individual from a member of the general public, information from this system may be disclosed to report the amount of VA monetary benefits the individual is receiving. This disclosure is consistent with 38 U.S.C. 5701(c)(1).
[top] 19. To a Federal agency for the purpose of conducting research and data analysis to perform a statutory purpose of that Federal agency upon the written request of that agency.
20. To accredited service organizations, VA-approved claim agents, and attorneys acting under a declaration of representation, upon request, so that these individuals can aid claimants in the preparation, presentation, and prosecution of claims under the laws VA administers, provided that the disclosure is limited to information relevant to a claim, such as the name, address, the basis and nature of a claim, amount of benefit payment information, medical information, and military service and active duty separation information.
21. To a fiduciary or guardian ad litem in relation to his or her representation of a claimant in any legal proceeding as relevant and necessary to fulfill the duties of the fiduciary or guardian ad litem.
22. To the Department of the Treasury as a report of income under 26 U.S.C. 61(a)(12), provided that the disclosure is limited to information concerning an individual's indebtedness that is waived under 38 U.S.C. 3102, compromised under 4 CFR part 103, otherwise forgiven, or for which the applicable statute of limitations for enforcing collection has expired.
23. To the Department of the Treasury for the collection of title 38 benefit overpayments, overdue indebtedness, or costs of services provided to an individual not entitled to such services, by the withholding of all or a portion of the person's Federal income tax refund, provided that the disclosure is limited to information concerning an individual's indebtedness by virtue of a person's participation in a benefits program VA administered.
24. To the Social Security Administration and the Department of Health and Human Services for the purpose of conducting computer matches to obtain information to validate the Social Security numbers maintained in VA records.
25. The name and address of any health care provider in this system of records who has received payment for claimed services on behalf of a veteran or beneficiary may be disclosed in response to an inquiry from a member of the general public.
26. To survey teams of the Joint Commission on Accreditation of Healthcare Organizations, College of American Pathologists, American Association of Blood Banks, and similar national accreditation agencies or boards with which VA has a contract or agreement to conduct such reviews, as relevant and necessary for the purpose of program review or the seeking of accreditation or certification.
27. To a health care provider seeking reimbursement for claimed medical services to facilitate billing processes, verify eligibility for requested health care services, and provide payment information for claimed services, provided that information disclosed is eligibility and claim information. Eligibility or entitlement information disclosed may include the name, Social Security number, effective dates of eligibility, reasons for any period of ineligibility, and evidence of other health insurance information of the named individual. Claim information disclosed may include payment information such as payment identification number, date of payment, date of service, amount billed, amount paid, name of payee, and reasons for non-payment.
28. To other Federal agencies for the purpose of conducting computer matches to obtain information to determine or verify eligibility of veterans receiving VA benefits or medical care under title 38.
29. To Federal agencies and government-wide third-party insurers responsible for payment of the cost of medical care for the identified patients, to seek recovery of the medical care costs. These records may also be disclosed as part of a computer matching program to accomplish this purpose.
30. To other Federal agencies to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.
31. To appropriate agencies, entities, and persons when (a) VA suspects or has confirmed that there has been a breach of the system of records; (b) VA has determined that as a result of the suspected or confirmed breach there is a risk to individuals, VA (including its information systems, programs, and operations), the Federal Government, or national security; and (c) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with VA efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.
32. To another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (a) responding to a suspected or confirmed breach or (b) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.
33. To the Federal Labor Relations Authority in connection with the investigation and resolution of allegations of unfair labor practices, the resolution of exceptions to arbitration awards when a question of material fact is raised, matters before the Federal Service Impasses Panel, and the investigation of representation petitions and the conduct or supervision of representation elections.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
Records are maintained as paper documents or stored electronically on magnetic discs, magnetic tape, and optical or digital imaging at the authorizing VA health care facility. Reports and information on automated storage media ( e.g., microfilm, microfiche, magnetic tape and disks, and digital and laser optical media) is stored at the authorizing VA health care facility, VA Headquarters, ARC, OIFOs, FSC, AITC, and VISN offices.
Information pertaining to electronic claims submitted to VA for payment consideration may be stored at the authorizing VA health care facility, FSC, AITC, and at VHA Office of Finance, Payment Operations. Records maintained at VHA Office of Finance, Payment Operations are stored electronically. Backup data is stored in a web based cloud storage systems.
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
Paper and electronic records pertaining to the individual may be retrieved by the name or Social Security number of the record subject. Records pertaining to the health care provider are retrieved by the name or Social Security and taxpayer identification number of the non-VA health care institution or provider. Records at ARC are retrieved only by Social Security number.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
Records in this system are retained and disposed of in accordance with the schedule the Archivist of the United States approved, Records Control Schedule 10-1 items 6000.9.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
[top] 1. VA will maintain the data in compliance with applicable VA security policy directives that specify the standards that will be applied to protect sensitive personal information. Contractors and their subcontractors who access the data are required to
2. Electronic data security complies with applicable Federal Information Processing Standards issued by the National Institute of Standards and Technology. Access to computer rooms at health care facilities is generally limited by appropriate locking devices and restricted to authorized VA employees and vendor personnel. Peripheral devices are generally placed in secure areas (areas that are locked or have limited access) or are otherwise protected. Access to file information is controlled at two levels. The system recognizes authorized employees by a series of individually unique passwords/codes that the employee must change periodically, and role-based access limits employees to only that information in the file which is needed in the performance of their official duties. Information that is downloaded and maintained on personal computers is afforded similar storage and access protections as the data that is maintained in the original files. Remote access to file information by staff of OIFOs, and access by Office of Inspector General (OIG) staff conducting an audit or investigation at the health care facility or an OIG office location remote from the health care facility is controlled in the same manner.
3. Access to FSC and AITC is generally restricted to each Center's employees, custodial personnel, and security personnel. Access to computer rooms is restricted to authorized operational personnel through electronic locking devices. All other persons gaining access to computer rooms are escorted. Authorized VA employees at remote locations, including VA health care facilities, OIFOs, VA Headquarters, VISN offices, and OIG Headquarters and field staff, may access information stored in the computer. Access is controlled by individually unique passwords/codes that the employee must change periodically.
4. Access to records maintained at VA Headquarters, ARC, OIFOs, and VISN offices is restricted to VA employees who have a need for the information in the performance of their official duties. Access to information stored on automated storage media is controlled by individually unique passwords/codes that the employee must change periodically. Authorized VA employees at remote locations including VA health care facilities may access information stored in the computer. Access is controlled by individually unique passwords/codes. Records are maintained in manned rooms during non-working hours. Security personnel protect facilities from outside access during working hours.
5. Information downloaded and maintained by the OIG Headquarters and field offices on automated storage media is secured in storage areas or facilities to which only OIG staff members have access. Paper documents are similarly secured. Access to paper documents and information on automated storage media is limited to OIG employees who have a need for the information in the performance of their official duties. Access to information stored on automated storage media is controlled by individually unique passwords/codes.
6. Access to records maintained at VHA Office of Finance, Payment Operations is restricted to VA employees who have a need for the information in the performance of their official duties. Access to information stored on automated storage media is controlled by individually unique passwords/codes that the employee must change periodically. Authorized VA employees at remote locations including VA health care facilities may access and print information stored in the computer. Access is controlled by individually assigned unique passwords/codes. Records are maintained in a secured, pass card protected and alarmed room. Security personnel protect the facilities from outside access during non-working hours.
7. VA Enterprise Cloud data storage conforms to security protocols as stipulated in VA Directives 6500, VA Cybersecurity Program, and 6517, Risk Management Framework for Cloud Computing Services. Access control standards are stipulated in specific agreements with Cloud vendors to restrict and monitor access.
RECORD ACCESS PROCEDURE:
Individuals seeking information on the existence and content of records in this system pertaining to them should contact the system manager in writing as indicated above. A request for access to records must contain the requester's full name, address and telephone number, be signed by the requester, and describe the records sought in sufficient detail to enable VA personnel to locate them with a reasonable amount of effort.
CONTESTING RECORD PROCEDURES:
Individuals seeking to contest or amend records in this system pertaining to them should contact the system manager in writing as indicated above. A request to contest or amend records must state clearly and concisely what record is being contested, the reasons for contesting it, and the proposed amendment to the record.
NOTIFICATION PROCEDURE:
Individuals who wish to be notified if a record in this system of records pertains to them should submit the request following the procedures described in "Record Access Procedures," above.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
HISTORY:
80 FR 45590 (July 30, 2015); 74 FR 44905 (August 31, 2009); and 67 FR 61205 (September 27, 2002).
[FR Doc. 2025-15590 Filed 8-14-25; 8:45 am]
BILLING CODE 8320-01-P