[Federal Register Volume 78, Number 215 (Wednesday, November 6, 2013)]
[Notices]
[Pages 66806-66812]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2013-26520]
-----------------------------------------------------------------------
DEPARTMENT OF VETERANS AFFAIRS
Privacy Act of 1974
AGENCY: Department of Veterans Affairs (VA).
ACTION: Notice of a New System of Records.
-----------------------------------------------------------------------
SUMMARY: The Privacy Act of 1974 (5 U.S.C. 552(e) (4)) requires all
agencies publish in the Federal Register a notice of the existence and
character of their systems of records. Notice is hereby given that the
Department of Veterans Affairs (VA) is establishing a new system of
records titled ``VA Mobile Application Environment (MAE)-VA''
(173VA005OP2).
DATES: Comments on this new system of records must be received no later
than December 6, 2013. If no public comment is received during the
period allowed for comment or unless otherwise published in the Federal
Register by VA, the new system will become effective December 6, 2013.
ADDRESSES: Written comments concerning the proposed amended system of
records may be submitted by: Mail or hand-delivery to Director,
Regulations Management (02REG), Department of Veterans Affairs, 810
Vermont Avenue NW, Room 1068, Washington, DC 20420; fax to (202) 273-
9026; or email to http://www.Regulations.gov. All comments received
will be available for public inspection in the Office of Regulation
Policy and Management, Room 1063B, between the hours of 8:00 a.m. and
4:30 p.m., Monday through Friday (except holidays). Please call (202)
461-4902 for an appointment. (This is not a toll-free number.)
FOR FURTHER INFORMATION CONTACT: Veterans Health Administration (VHA)
Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue
NW., Washington, DC 20420 or by telephone at (704) 245-2492.
SUPPLEMENTARY INFORMATION:
[[Page 66807]]
I. Description of Proposed Systems of Records
The MAE contains the core set of records to be used to support VA
efforts to expand its technology into the mobile and Web-based
application domain as well as facilitate utilization of applications
and systems directly by patients and VA customers. The proposed system
of records contains information on Veterans, Veteran beneficiaries,
Veteran caregivers, members of the Armed Forces, and other VA customers
in addition to VA-authorized users. VA-authorized users are VA
employees, VA contractors, VA volunteers, and other individuals with
permission to access VA Information Technology (IT) systems. These data
are stored in VA resources, accessible to authorized users through
applications utilizing services available in VA's MAE middle tier
service layer (the VA Health Adapter). These records will be used in
the provision of health care and benefits by VA. The records contain
information that will be directly updated by Veterans, Veteran
beneficiaries, Veteran caregivers, members of the Armed Forces,
Reserves and National Guard, other VA customers, and VA-authorized
users, such as demographics (e.g., name, social security number,
physical address, phone number, email address), health-related
information (e.g., vital signs, allergies, medications, health-related
history, health assessments), benefits-related information, information
provided to VA for the potential provision of services and benefits,
military history and service, preferences for authorizing the sharing
of their health information (e.g., electronic surrogate authorizations,
electronic surrogate revocations). The records may include identifiers
such as VA's integration control number. The records include
information provided by Veterans and their beneficiaries or caregivers,
members of the Armed Forces, Reserves or National Guard, VA employees,
other VA-authorized users (e.g., Department of Defense), and
information from VA computer systems and databases including, but not
limited to, Veterans Health Information Systems and Technology
Architecture (VistA)-VA (79VA10P2), National Patient Databases-VA
(121VA10P2), VA Medical Centers (VAMC), Federal and non-Federal
Veterans Lifetime Electronic Records (VLER)/eHealth Exchange partners,
and the Department of Defense (DoD).
The purpose of the system of records is to provide a repository for
the clinical and administrative information that is collected,
retrieved, or displayed from within a VA mobile or Web application. The
purpose of use will include, but not be limited to: Health care
treatment information, disability adjudication, and benefits to the
Veteran both within the VAMC and in sharing with partners who are
participating through the eHealth Exchange in VA's Mobile pilots and
subsequent public and enterprise roll-out of new applications. Data may
also be used at an aggregate, non-personally identifiable level to
track and evaluate local or national health and benefits initiatives
and preventative-care measures, such as detecting outbreaks of flu or
other diseases, detection of antibiotic resistance bacteria, etc. The
data may be used for such purposes as scheduling patient treatment
services, including nursing care, clinic appointments, surveys,
diagnostic and therapeutic procedures. The data may also be used for
the purpose of health care operations such as: Producing various
management and patient follow-up reports; responding to patients and
other inquiries for epidemiological research and other health care-
related studies, statistical analysis, resource allocation and
planning; providing clinical and administrative support to patient
medical care; determining entitlement and eligibility for VA benefits;
processing and adjudicating benefit claims by Veterans Benefits
Administration Regional Office (VARO) staff, for audits, reviews, and
investigations conducted by staff of VA Central Office, and VA's Office
of Inspector General (OIG); sharing of health information between and
among VHA, DoD, Indian Health Services (IHS), and other Government and
private industry health care organizations; law enforcement
investigations; quality assurance audits, reviews, and investigations;
personnel management and evaluation; employee ratings and performance
evaluations; and employee disciplinary or other adverse action,
including discharge; advising health care professional licensing or
monitoring bodies or similar entities of activities of VA and former VA
health care personnel.
II. Proposed Routine Use Disclosures of Data in the System
To the extent that records contained in the system include
information protected by 38 United States Code (U.S.C.) 7332 (e.g.,
medical treatment information related to drug abuse, alcoholism or
alcohol abuse, sickle cell anemia or infection with the human
immunodeficiency virus). That information cannot be disclosed under a
routine use unless there is also specific statutory authority
permitting disclosure.
VHA is proposing the following routine use disclosures of
information to be maintained in the system:
1. On its own initiative, VA may disclose information, except for
the names and home addresses of Veterans and their dependents, to a
Federal, state, local, tribal, or foreign agency charged with the
responsibility of investigating or prosecuting civil, criminal, or
regulatory violations of law, or charged with enforcing or implementing
the statute, regulation, rule, or order issued pursuant thereto. On its
own initiative, VA may also disclose the names and addresses of
Veterans and their dependents to a Federal agency charged with the
responsibility of investigating or prosecuting civil, criminal, or
regulatory violations of law, or charged with enforcing or implementing
the statute, regulation, rule, or order issued pursuant thereto. VA
must be able to comply with the requirements of agencies charged with
enforcing the law and conducting investigations. VA must also be able
to provide information to state or local agencies charged with
protecting the public's health as set forth in state law.
2. Disclosure may be made to any source from which additional
information is requested (to the extent necessary to identify the
individual, inform the source of the purpose(s) of the request, and to
identify the type of information requested), when necessary to obtain
information relevant to an individual's eligibility, care history, or
other benefits.
3. Disclosure may be made to an agency in the executive,
legislative, or judicial branch, or the District of Columbia's
government in response to its request or at the initiation of VA, in
connection with disease tracking, patient outcomes, or other health
information required for program accountability.
4. The record of an individual who is covered by a system of
records may be disclosed to a Member of Congress or a staff person
acting for the Member, when the Member or staff person requests the
record on behalf of and at the written request of the individual.
Individuals sometimes request the help of a Member of Congress in
resolving some issues relating to a matter before VA. The Member of
Congress then writes to VA, and VA must be able to give sufficient
information to give response to the inquiry.
5. Disclosure may be made to the National Archives and Records
Administration (NARA) and the General Services Administration (GSA) in
[[Page 66808]]
records management inspections conducted under authority of Title 44,
Chapter 29, of the United States Code. NARA and GSA are responsible for
the management of old records no longer actively used, but which may be
appropriate for preservation, and for the physical maintenance of the
Federal Government's records. VA must be able to provide the records to
NARA and GSA in order to determine the proper disposition of such
records.
6. VA may disclose information from this system of records to the
Department of Justice (DOJ), either on VA's initiative or in response
to DOJ's request for the information, after either VA or DOJ determines
that such information is relevant to DOJ's representation of the United
States or any of its components in legal proceedings before a court or
adjudicative body, provided that, in each case, the agency also
determines prior to disclosure that release of the records to DOJ is a
use of the information contained in the records that is compatible with
the purpose for which VA collected the records. VA, on its own
initiative, may disclose records in this system of records in legal
proceedings before a court or administrative body after determining
that the disclosure of the records to the court or administrative body
is a use of the information contained in the records that is compatible
with the purpose for which VA collected the records.
7. Records from this system of records may be disclosed to inform a
Federal agency, licensing boards, or the appropriate non-Government
entities about the health care practices of a terminated, resigned, or
retired health care employee whose professional health care activity so
significantly failed to conform to generally accepted standards of
professional medical practice as to raise reasonable concern for the
health and safety of patients receiving medical care in the private
sector or from another Federal agency.
8. Disclosure may be made to a national certifying body which has
the authority to make decisions concerning the issuance, retention, or
revocation of licenses, certifications or registrations required to
practice a health care profession, when requested in writing by an
investigator or supervisory official of the national certifying body
for the purpose of making a decision concerning the issuance,
retention, or revocation of the license, certification, or registration
of a named health care professional. VA must be able to report
information regarding the care a health care practitioner provides to a
national certifying body charged with maintaining the health and safety
of patients by making a decision about a health care professional's
license, certification, or registration, such as issuance, retention,
revocation, or other actions such as suspension.
9. Disclosure may be made to officials of labor organizations
recognized under 5 U.S.C. Chapter 71, when relevant and necessary to
their duties of exclusive representation concerning personnel policies,
practices, and matters affecting working conditions.
10. Disclosure may be made to the VA-appointed representative of an
employee all notices, determinations, decisions, or other written
communications issued to the employee in connection with an examination
ordered by VA under medical evaluation (formerly fitness-for-duty)
examination procedures or Department-filed disability retirement
procedures.
11. VA may disclose information to officials of the Merit Systems
Protection Board (MSPB) or the Office of Special Counsel (OSC), when
requested in connection with appeals, special studies of the civil
service and other merit systems, review of rules and regulations,
investigation of alleged or possible prohibited personnel practices,
and such other functions, promulgated in 5 U.S.C. 1205 and 1206, or as
authorized by law.
12. VA may disclose information to the Equal Employment Opportunity
Commission (EEOC) when requested in connection with investigations of
alleged or possible discriminatory practices, examination of Federal
affirmative employment programs, or for other functions of the
Commission as authorized by law or regulation. VA must be able to
provide information to the Commission to assist it in fulfilling its
duties to protect employees' rights, as required by statute and
regulation.
13. VA may disclose to the Fair Labor Relations Authority (FLRA)
(including its General Counsel) information related to the
establishment of jurisdiction, the investigation and resolution of
allegations of unfair labor practices, or information in connection
with the resolution of exceptions to arbitration awards when a question
of material fact is raised; to disclose information in matters properly
before the Federal Services Impasse Panel (FSIP) and to investigate
representation petitions and conduct or supervise representation
elections. VA must be able to provide information to FLRA to comply
with the statutory mandate under which it operates.
14. Disclosure of medical record data, excluding name and address,
unless name and address are furnished by the requester, may be made to
epidemiological and other research facilities for research purposes
determined to be necessary and proper when approved in accordance with
VA policy.
15. Disclosure of names and addresses of present or former
personnel of the Armed Forces and/or their dependents, may be made to:
(a) A Federal department or agency, at the written request of the head
or designee of that agency; or (b) directly to a contractor or
subcontractor of a Federal department or agency, for the purpose of
conducting Federal research necessary to accomplish a statutory purpose
of an agency. When disclosure of this information is made directly to a
contractor, VA may impose applicable conditions on the department,
agency, and/or contractor to ensure the appropriateness of the
disclosure to the contractor.
16. Disclosures of relevant information may be made to individuals,
organizations, private or public agencies, or other entities with whom
VA has a contract or agreement or where there is a subcontract to
perform the services as VA may deem practicable for the purposes of
laws administered by VA, in order for the contractor or subcontractor
to perform the services of the contract or agreement. This routine use
includes disclosures by the individual or entity performing the service
for VA to any secondary entity or individual to perform an activity
that is necessary for individuals, organizations, private or public
agencies, or other entities or individuals with whom VA has a contract
or agreement to provide the service to VA.
17. Disclosure to other Federal agencies may be made to assist such
agencies in preventing and detecting possible fraud or abuse by
individuals in their operations and programs.
18. VA may, on its own initiative, disclose any information or
records to appropriate agencies, entities, and persons when (1) VA
suspects or has confirmed that the integrity or confidentiality of
information in the system of records has been compromised; (2) the
Department has determined that, as a result of the suspected or
confirmed compromise, there is a risk of embarrassment or harm to the
reputations of the record subjects, harm to economic or property
interests, identity theft or fraud, or harm to the security,
confidentiality, or integrity of this system or other systems or
programs (whether maintained by the Department or another agency), or
disclosure is to agencies, entities, or persons whom VA determines are
[[Page 66809]]
reasonably necessary to assist or carry out the Department's efforts to
respond to the suspected or confirmed compromise and prevent, minimize,
or remedy such harm. This routine use permits disclosures by the
Department to respond to a suspected or confirmed data breach,
including the conduct of any risk analysis or provision of credit
protection services as provided in 38 U.S.C. 5724, as the terms are
defined in 38 U.S.C. 5727.
19. VA may disclose any information to another covered entity that
is a Government agency administering a Government program providing
public benefits if the programs serve the same or similar populations
as VA, and the disclosure of information is necessary to coordinate the
functions of such programs or to improve administration and management
relating to the functions of such programs.
20. VA may disclose health care information to a non-VA health care
provider, such as private health care providers or hospitals, DoD, or
IHS providers, for the purpose of treating VA patients. To better
facilitate medical care and treatment for Veterans, VA must be prepared
to share health information between VHA, DoD, IHS, and other government
health care organizations.
21. VA may disclose information to a former VA employee or
contractor, as well as the authorized representative of a current or
former employee or contractor of VA, in pending or reasonably
anticipated litigation against the individual regarding health care
provided during the period of his or her employment or contract with
VA.
III. Compatibility of the Proposed Routine Uses
The Privacy Act permits VA to disclose information about
individuals without their consent for a routine use when the
information will be used for a purpose that is compatible with the
purpose for which VA collected the information. In all of the routine
use disclosures described above, either the recipient of the
information will use the information in connection with a matter
relating to one of VA's programs, to provide a benefit to the VA, or to
disclose information as required by law.
Under section 264, Subtitle F of Title II of the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) Public Law 104-191,
100 Stat. 1936, 2033-34 (1996), the United States Department of Health
and Human Services (HHS) published a final rule, as amended,
establishing Standards for Privacy of Individually-Identifiable Health
Information, 45 CFR Parts 160 and 164. VHA may not disclose
individually identifiable health information (as defined in HIPAA and
the Privacy Rule, 42 U.S.C. 1320(d)(6) and 45 CFR 164.501) pursuant to
a routine use unless either: (a) the disclosure is required by law, or
(b) the disclosure is also permitted or required by HHS' Privacy Rule.
The disclosures of individually-identifiable health information
contemplated in the routine uses published in this amended system of
records notice are permitted under the Privacy Rule or required by law.
However, to also have authority to make such disclosures under the
Privacy Act, VA must publish these routine uses. Consequently, VA is
publishing these routine uses and is adding a preliminary paragraph to
the routine uses portion of the system of records notice stating that
any disclosure pursuant to the routine uses in this system of records
notice must be either required by law or permitted by the Privacy Rule,
before VHA may disclose the covered information.
The notice of intent to publish and an advance copy of the system
notice have been sent to the appropriate Congressional committees and
to the Director, Office of Management and Budget (OMB), as required by
5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR
77677), December 12, 2000.
Approved: October 9, 2013.
Jose D. Riojas,
Chief of Staff, Department of Veterans Affairs.
173VA005OP2
SYSTEM NAME:
VA Mobile Application Environment (MAE)-VA
SYSTEM LOCATION:
Records are maintained at VA Contracted Service Provider,
Terremark, at 18155 Technology Drive, Culpeper, VA 22701-3805.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
The records contain information on Veterans, Veteran beneficiaries,
Veteran caregivers, members of the Armed Forces, Reserves and National
Guard, and other VA customers in addition to VA authorized users (e.g.,
VA employees, VA contractors, VA volunteers, and other individuals
permitted VA have access to VA IT systems).
CATEGORIES OF RECORDS IN THE SYSTEM:
The records may include information related to data entered through
Web and mobile applications developed and maintained by VA, accessed
and updated by the individuals covered by the system as well as by VA-
authorized users. The records may contain information, such as
demographics (e.g., name, social security numbers, physical address,
phone number, email address), health-related information (e.g., vital
signs, allergies, medications, health-related history, health
assessments), benefit-related information, information provided to VA
for the potential provision of services and benefits, military history
and services, preferences for authorizing the sharing of their health
information (e.g., electronic surrogate authorizations, electronic
surrogate revocations). The records may include identifiers such as
VA's integration control number. The information will be primarily
benefits and health-related but may include other information such as
customer-entered updates to demographic information.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Title 38, United States Code, Section 501.
PURPOSE(S):
The records and information will be used to provide a repository
for the clinical and administrative information that is collected,
retrieved, or displayed from within a VA mobile or Web application. The
purpose of use will include, but not be limited to, health care
treatment information, disability adjudication, and benefits to the
Veteran both within the VA Medical Center and in sharing with partners
who are participating through the eHealth Exchange in VA's Mobile
pilots and subsequent public and enterprise roll-out of new
applications. Data may also be used at an aggregate, non-personally
identifiable level to track and evaluate local or national health and
benefits initiatives and preventative-care measures, such as detecting
outbreaks of flu or other diseases, detection of antibiotic resistance
bacteria, etc. These data may be used for such purposes as scheduling
patient treatment services, including nursing care, clinic
appointments, surveys, diagnostic, and therapeutic procedures. These
data may also be used for the purpose of health care operations, such
as producing various management and patient follow-up reports;
responding to patient and other inquiries; for epidemiological research
and other health care-related studies; statistical analysis, resource
allocation and planning; providing clinical and administrative support
to patient medical care; determining entitlement and eligibility for VA
[[Page 66810]]
benefits; processing and adjudicating benefit claims by Veterans
Benefits Administration Regional Office staff; for audits, reviews, and
investigations conducted by staff of VA Central Office and VA's OIG;
sharing of health information between and among VHA, DoD, IHS, and
other Government and private industry health care organizations; law
enforcement investigations; quality assurance audits, reviews, and
investigations; personnel management and evaluation; employee ratings
and performance evaluations; and employee disciplinary or other adverse
action, including discharge; advising health care professional
licensing or monitoring bodies or similar entities of activities of VA
and former VA health care personnel.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND THE PURPOSES OF SUCH USES:
To the extent that records contained in the system include
information protected by 38 U.S.C. 7332, (e.g., medical treatment
information related to drug abuse, alcoholism or alcohol abuse, sickle
cell anemia or infection with the human immunodeficiency virus), that
information cannot be disclosed under a routine use unless there is
also specific statutory authority permitting disclosure.
1. On its own initiative, VA may disclose information, except for
the names and home addresses of Veterans and their dependents, to a
Federal, state, local, tribal, or foreign agency charged with the
responsibility of investigating or prosecuting civil, criminal, or
regulatory violations of law, or charged with enforcing or implementing
the statute, regulation, rule, or order issued pursuant thereto. On its
own initiative, VA may also disclose the names and addresses of
Veterans and their dependents to a Federal agency charged with the
responsibility of investigating or prosecuting civil, criminal, or
regulatory violations of law, or charged with enforcing or implementing
the statute, regulation, rule, or order issued pursuant thereto.
2. Disclosure may be made to any source from which additional
information is requested (to the extent necessary to identify the
individual, inform the source of the purpose(s) of the request), and to
identify the type of information requested), when necessary to obtain
information relevant to an individual's eligibility, care history, or
other benefits.
3. Disclosure may be made to an agency in the executive,
legislative, or judicial branch, or the District of Columbia's
government in response to its request or at the initiation of VA, in
connection with disease tracking, patient outcomes or other health
information required for program accountability.
4. The record of an individual who is covered by a system of
records may be disclosed to a Member of Congress, or a staff person
acting for the Member, when the Member or staff person requests the
record on behalf of and at the written request of the individual.
5. Disclosure may be made to NARA and GSA in records management
inspections conducted under authority of Title 44, Chapter 29, of the
United States Code.
6. VA may disclose information from this system of records to DOJ,
either on VA's initiative or in response to DOJ's request for the
information, after either VA or DOJ determines that such information is
relevant to DOJ's representation of the United States or any of its
components in legal proceedings before a court or adjudicative body,
provided that, in each case, the agency also determines prior to
disclosure that release of the records to DOJ is a use of the
information contained in the records that is compatible with the
purpose for which VA collected the records. VA, on its own initiative,
may disclose records in this system of records in legal proceedings
before a court or administrative body after determining that the
disclosure of the records to the court or administrative body is a use
of the information contained in the records that is compatible with the
purpose for which VA collected the records.
7. Records from this system of records may be disclosed to inform a
Federal agency, licensing boards, or the appropriate non-Government
entities about the health care practices of a terminated, resigned, or
retired health care employee whose professional health care activity so
significantly failed to conform to generally-accepted standards of
professional medical practice as to raise reasonable concern for the
health and safety of patients receiving medical care in the private
sector or from another Federal agency.
8. Disclosure may be made to a national certifying body which has
the authority to make decisions concerning the issuance, retention, or
revocation of licenses, certifications or registrations required to
practice a health care profession, when requested in writing by an
investigator or supervisory official of the national certifying body
for the purpose of making a decision concerning the issuance,
retention, or revocation of the license, certification, or registration
of a named health care professional.
9. Disclosure may be made to officials of labor organizations
recognized under 5 U.S.C. Chapter 71, when relevant and necessary to
their duties of exclusive representation concerning personnel policies,
practices, and matters affecting working conditions.
10. Disclosure may be made to the VA-appointed representative of an
employee all notices, determinations, decisions, or other written
communications issued to the employee in connection with an examination
ordered by VA under medical evaluation (formerly fitness-for-duty)
examination procedures or Department-filed disability retirement
procedures.
11. VA may disclose information to officials of MSPB or OSC, when
requested in connection with appeals, special studies of the civil
service and other merit systems, review of rules and regulations,
investigation of alleged or possible prohibited personnel practices,
and such other functions, promulgated in 5 U.S.C. 1205 and 1206, or as
authorized by law.
12. VA may disclose information to EEOC when requested in
connection with investigations of alleged or possible discriminatory
practices, examination of Federal affirmative employment programs, or
for other functions of the Commission as authorized by law or
regulation.
13. VA may disclose to FLRA (including its General Counsel)
information related to the establishment of jurisdiction,
investigation, and resolution of allegations of unfair labor practices,
or information in connection with the resolution of exceptions to
arbitration awards when a question of material fact is raised to
disclose information in matters properly before the Federal Services
Impasse Panel and to investigate representation petitions and conduct
or supervise representation elections.
14. Disclosure of medical record data, excluding name and address,
unless name and address is furnished by the requester, may be made to
epidemiological and other research facilities for research purposes
determined to be necessary and proper when approved in accordance with
VA policy.
15. Disclosure of names and addresses of present or former
personnel of the Armed Forces, and/or their dependents, may be made to:
(a) a Federal department or agency, at the written request of the head
or designee of that agency; or (b) directly to a contractor or
subcontractor of a Federal department or agency, for the purpose of
conducting
[[Page 66811]]
Federal research necessary to accomplish a statutory purpose of an
agency. When disclosure of this information is made directly to a
contractor, VA may impose applicable conditions on the department,
agency, and/or contractor to ensure the appropriateness of the
disclosure to the contractor.
16. Disclosures of relevant information may be made to individuals,
organizations, private or public agencies, or other entities with whom
VA has a contract or agreement or where there is a subcontract to
perform the services as VA may deem practicable for the purposes of
laws administered by VA, in order for the contractor or subcontractor
to perform the services of the contract or agreement. This routine use
includes disclosures by the individual or entity performing the service
for VA to any secondary entity or individual to perform an activity
that is necessary for individuals, organizations, private or public
agencies, or other entities or individuals with whom VA has a contract
or agreement to provide the service to VA.
17. Disclosure to other Federal agencies may be made to assist such
agencies in preventing and detecting possible fraud or abuse by
individuals in their operations and programs.
18. VA may, on its own initiative, disclose any information or
records to appropriate agencies, entities, and persons when (1) VA
suspects or has confirmed that the integrity or confidentiality of
information in the system of records has been compromised; (2) the
Department has determined that as a result of the suspected or
confirmed compromise, there is a risk of embarrassment or harm to the
reputations of the record subjects, harm to economic or property
interests, identity theft or fraud, or harm to the security,
confidentiality, or integrity of this system or other systems or
programs (whether maintained by the Department or another agency or
disclosure is to agencies, entities, or persons whom VA determines are
reasonably necessary to assist or carry out the Department's efforts to
respond to the suspected or confirmed compromise and prevent, minimize,
or remedy such harm. This routine use permits disclosures by the
Department to respond to a suspected or confirmed data breach,
including the conduct of any risk analysis or provision of credit
protection services as provided in 38 U.S.C. 5724, as the terms are
defined in 38 U.S.C. 5727.
19. VA may disclose any information to another covered entity that
is a Government agency administering a Government program providing
public benefits if the programs serve the same or similar populations
as VA, and the disclosure of information is necessary to coordinate the
functions of such programs or to improve administration and management
relating to the functions of such programs.
20. VA may disclose health care information to a non-VA health care
provider, such as private health care providers or hospitals, DoD, or
IHS providers, for the purpose of treating VA patients.
21. VA may disclose information to a former VA employee or
contractor, as well as the authorized representative of a current or
former employee or contractor of VA, in pending or reasonably
anticipated litigation against the individual regarding health care
provided during the period of his or her employment or contract with
VA.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING,
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
Records are maintained on electronic storage media including
magnetic tape, disk, and laser optical media.
RETRIEVABILITY:
Records may be retrieved by name, social security number, VA's
integration control number, or other assigned identifiers of the
individuals for whom they are maintained.
SAFEGUARDS:
1. Access to and use of national administrative databases,
warehouses, and data marts are limited to those persons whose official
duties require such access, and VA has established security procedures
to ensure that access is appropriately limited. Information security
officers and system data stewards review and authorize data access
requests. VA regulates data access with security software that
authenticates users and requires individually-unique codes and
passwords. VA requires information security training for all staff and
instructs staff on the responsibility each person has for safeguarding
data confidentiality.
2. Physical access to computer rooms housing national
administrative databases, warehouses, and data marts is restricted to
authorized staff and protected by a variety of security devices.
Unauthorized employees, contractors, and other staff are not allowed in
computer rooms.
3. Data transmissions between operational systems and national
administrative databases, warehouses, and data marts maintained by this
system of record are protected by state-of-the-art telecommunication
software and hardware. This may include firewalls, intrusion detection
devices, encryption, and other security measures necessary to safeguard
data as it travels across the VA-Wide Area Network.
4. In most cases, copies of back-up computer files are maintained
at off-site locations.
RETENTION AND DISPOSAL:
Records from this system that are needed for audit purposes will be
disposed of 6 years after a user's account becomes inactive. Routine
records will be disposed of when the agency determines they are no
longer needed for administrative, legal, audit, or other operational
purposes. These retention and disposal statements are pursuant to NARA
General Records Schedules GRS 20, item 1c and GRS 24, item 6a.
SYSTEM MANAGER(S) AND ADDRESS:
Official maintaining this system of records and responsible for
policies and procedures is the Executive Director of VA Enterprise
Infrastructure Engineering, VA Office of Information and Technology,
Department of Veterans Affairs, 810 Vermont Avenue NW., Washington, DC
20420. Official delegated to maintain this system of records on behalf
of VA OIT is the Director of VA Connected Health, VHA Office of
Informatics and Analytics, Department of Veterans Affairs, 810 Vermont
Avenue NW., Washington, DC 20420.
NOTIFICATION PROCEDURE:
Individuals who wish to determine whether this system of records
contains information about them should contact the Director of VA
Connected Health, VHA Office of Informatics and Analytics, Department
of Veterans Affairs, 810 Vermont Avenue NW., Washington, DC 20420 or
via the Web at http://mobilehealth.va.gov. Inquiries should include the
person's full name, social security number, and their return address.
RECORD ACCESS PROCEDURES:
Individuals seeking information regarding access to and contesting
of records in this system may write the Director of VA Connected
Health, VHA Office of Informatics and Analytics, Department of Veterans
Affairs, 810 Vermont Avenue NW., Washington, DC 20420. Inquiries
should, at a minimum, include the person's full name, social security
number, type of information
[[Page 66812]]
requested or contested, their return address, and phone number.
CONTESTING RECORD PROCEDURES:
(See Record Access Procedures above.)
RECORD SOURCE CATEGORIES:
Information in this system of records is provided by Veterans and
their beneficiaries or caregivers, members of the Armed Services,
Reserves or National Guard; VA employees, other VA-authorized users
(e.g., DoD), and information from VA computer systems and databases
include, but not limited to, Veterans Health Information Systems and
Technology Architecture (VistA)-VA (79VA10P2) and National Patient
Databases-VA (121VA10P2), VAMCs, Federal and non-Federal VLER/eHealth
Exchange partners, and DoD.
[FR Doc. 2013-26520 Filed 11-5-13; 8:45 am]
BILLING CODE 8320-01-P