[Federal Register Volume 78, Number 244 (Thursday, December 19, 2013)]
[Notices]
[Pages 76897-76901]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2013-30228]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF VETERANS AFFAIRS
Privacy Act of 1974; System of Records
AGENCY: Department of Veterans Affairs (VA).
ACTION: Notice of Amendment to System of Records.
-----------------------------------------------------------------------
SUMMARY: As required by the Privacy Act of 1974, 5 U.S.C. 552a(e),
notice is hereby given that the Department of Veterans Affairs (VA) is
amending the system of records currently titled ``Income Verification
Records--VA'' (89VA16) as set forth in the Federal Register (73 FR
26192-26197), dated May 8, 2008. VA is amending the System Number,
System Location, Access, Routine Uses of Records Maintained in the
System, Storage, Safeguards, and Records Source Categories. VA is
republishing the system notice in its entirety.
DATES: Comments on the amendment of this system of records must be
received no later than January 21, 2014. If no public comment is
received, the amended system will become effective January 21, 2014.
ADDRESSES: Written comments may be submitted through
www.Regulations.gov; by mail or hand-delivery to Director, Regulations
Management (02REG), Department of Veterans Affairs, 810 Vermont Avenue
NW., Room 1068, Washington, DC 20420; or by fax to (202) 273-9026.
Comments received will be available for public inspection in the Office
of Regulation Policy and Management, Room 1063B, between the hours of
8:00 a.m. and 4:30 p.m., Monday through Friday (except holidays).
Please call (202) 461-4902 (this is not a toll-free number) for an
appointment. In addition, during the comment period, comments may be
viewed online through the Federal Docket Management System at
www.Regulations.gov.
FOR FURTHER INFORMATION CONTACT: Veterans Health Administration Privacy
Officer, Department of Veterans Affairs, 810 Vermont Avenue NW.,
Washington, DC 20420; telephone (704) 245-2492.
SUPPLEMENTARY INFORMATION:
Background
Public Law 101-508, the Omnibus Budget Reconciliation Act of 1990,
provides VA the authority to verify Veterans' self-reported income to
determine eligibility for medical benefits. VA's Health Eligibility
Center (HEC) in Atlanta, Georgia, originally established as the Income
Verification Match Center, has authority under section 8051 to verify
Veterans' self-reported income with the Internal Revenue Service (IRS)
and Social Security Administration (SSA).
The system number is changed from 89VA16 to 89VA10NB to reflect the
current organizational alignment.
The System Location, Access, and Safeguard sections have been
amended to change the Austin Automation Center to what is now known as
the Austin Information Technology Center.
Routine use nineteen (19) has been added to state that disclosures
to other Federal agencies may be made to assist such agencies in
preventing and detecting possible fraud or abuse by individuals in
their operations and programs.
The section titled ``Storage'' is being amended to state that
records are maintained at a secure off-site facility in Atlanta and
Austin. In January 2013, VA implemented a new electronic data
transmission process called Direct Connect, which is a secure Virtual
Private Network (VPN) tunnel to transmit and receive Veterans'
household income from IRS. VPN only affects the means in which the data
is transmitted; it does not affect the storage of the data.
``Safeguard'' is being amended under number three (3) to include
that the card has restricted access capability, which allows
restriction of unauthorized personnel to secured areas. HEC Security
Officer has been replaced with
[[Page 76898]]
HEC Personal Card Issuer. Number twelve (12) has been amended to
replace the Center with the HEC Information Security Office (ISO).
The section titled ``Records Source Categories'' has been amended
to change 24VA19 to 24VA10P2 and ``Compensation, Pension, Education and
Rehabilitation Records--VA'' (58VA21/22) to ``VA Compensation, Pension,
Education, and Vocational Rehabilitation and Employment Records--VA''
(58VA21/22/28).
The Report of Intent To Amend a System of Records Notice and an
advance copy of the system notice have been sent to the appropriate
Congressional committees and to the Director of the Office of
Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy
Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.
Approved: December 2, 2013.
Jose D. Riojas,
Chief of Staff, Department of Veteran Affairs.
SOR : 89VA10NB
SYSTEM NAME:
``Income Verification Records--VA''
SYSTEM LOCATION:
Records are maintained at VA's Health Eligibility Center (HEC) in
Atlanta, Georgia, and the Austin Information Technology Center (AITC)
in Austin, Texas. Records are also stored at contracted locations in
McLean, Virginia, and Atlanta, Georgia.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
Veterans who have applied for or have received VA health care
benefits under Title 38, United States Code, Chapter 17; Veterans'
spouses and other dependents as provided for in other provisions of
Title 38, United States Code.
CATEGORIES OF RECORDS IN THE SYSTEM:
The category of records in the system includes:
Federal Tax Information (FTI) and social security information
generated as a result of computer matching activity with records from
the IRS and SSA. The records may also include, but are not limited to,
correspondence between HEC, Veterans, their family members, and
Veterans' representatives such as Veterans Service Officers (VSO);
copies of death certificates; Notice of Separation; disability award
letters; IRS documents (e.g., Form 1040s, Form 1099s, W-2s); workers
compensation forms; and various annual earnings statements, as well as
pay stubs and miscellaneous receipts.
Note: VA may not disclose to any person in any manner any
document that contains FTI received from IRS or SSA in accordance
with the Internal Revenue Code (IRC) 26 U.S.C. 6103(l)(7). In
addition, VA may not allow access to FTI by any contractor or
subcontractor.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Title 38, United States Code, Sections 501(a), 1705, 1710, 1722,
and 5317.
PURPOSE(S):
Information in this system of records is used to verify the
household income of certain Veterans and, if relevant, their spouses or
dependents receiving VA health care benefits. The information in this
system of records is also used to validate Veterans' and their spouses'
social security numbers; provide educational materials related to
income verification; respond to Veteran and non-Veteran inquiries
related to income verification; and compile management reports.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND THE PURPOSES OF SUCH USES:
To the extent that records contained in the system include
information protected by 45 CFR Parts 160 and 164, (i.e., individually
identifiable health information and 38 U.S.C. 7332), (i.e., medical
treatment information related to drug abuse, alcoholism or alcohol
abuse, sickle cell anemia or infection with the human immunodeficiency
virus), that information cannot be disclosed under a routine use unless
there is also specific statutory authority in 38 U.S.C. 7332 and
regulatory authority in 45 CFR Parts 160 and 164 permitting disclosure.
1. VA may disclose the record of an individual who is covered by
this system to a member of Congress or staff person acting for the
member in response to an inquiry made at the request of that
individual.
2. VA may disclose any information in this system of records,
except FTI, as deemed necessary and proper to named individuals serving
as accredited service organization representatives and other
individuals named as approved agents or attorneys for a documented
purpose, period of time, or specific income year, to aid beneficiaries
in the preparation and presentation of their cases during the
verification and/or due process procedures and in the presentation and
prosecution of claims under laws administered by VA.
3. VA may disclose, on its own initiative, any information in this
system, except the names, home addresses, or FTI of Veterans and their
dependents, which is relevant to a suspected or reasonably imminent
violation of law, whether civil, criminal, or regulatory in nature and
whether arising by general or program statute or by regulation, rule,
or order issued pursuant thereto, to a Federal, State, local, or
foreign agency charged with the responsibility of investigating or
prosecuting such violation, or charged with enforcing or implementing
the statute, regulation, rule, or order. Additionally, VA may also
disclose the names and addresses of Veterans and their dependents to a
Federal agency charged with the responsibility of investigating or
prosecuting civil, criminal, or regulatory violations of law, or
charged with enforcing or implementing the statute, regulation, rule,
or order issued pursuant thereto.
4. VA may disclose relevant information in this system, except FTI,
in the course of presenting evidence to a court, magistrate, or
administrative tribunal; in matters of guardianship, inquests, and
commitments; to private attorneys representing Veterans rated
incompetent in conjunction with issuance of Certificates of
Incompetency; and to probation and parole officers in connection with
court-required duties.
5. VA may disclose information in this system, except FTI, to a VA
Federal fiduciary or a guardian ad litem in relation to his or her
representation of a Veteran in any legal proceeding, but only to the
extent necessary to fulfill the duties of the fiduciary or the guardian
ad litem.
6. VA may disclose relevant information in this system, except FTI,
to attorneys, insurance companies, employers, third parties liable or
potentially liable under health plan contracts, and to courts, boards,
or commissions, but only to the extent necessary to aid VA in the
preparation, presentation, and prosecution of claims authorized under
Federal, State, or local laws, and regulations promulgated there under.
7. VA may disclose information in this system of records to the
Department of Justice (DOJ), either on VA's initiative or in response
to DOJ's request for the information, after either VA or DOJ determines
that such information is relevant to DOJ's representation of the United
States or any of its components in legal proceedings before a court or
adjudicative body, provided that, in each case, the agency also
determines prior to disclosure that disclosure of the records to DOJ is
a use of the information contained in the records that is compatible
with the purpose for which VA collected the records. VA, on its own
initiative, may disclose records in this system of records in legal
[[Page 76899]]
proceedings before a court or administrative body after determining
that the disclosure of the records to the court or administrative body
is a use of the information contained in the records that is compatible
with the purpose for which VA collected the records.
8. VA may disclose any information in this system, except FTI, to
National Archives and Records Administration (NARA) and General
Services Administration in records management inspections conducted
under Title 44 of United States Code.
9. VA may disclose information in this system, except FTI, to a
third party, except consumer reporting agencies, in connection with any
proceeding for the collection of an amount owed to the United States by
virtue of a person's participation in any benefit program administered
by VA, but only to the extent that it is reasonably necessary to (a)
assist VA in the collection of costs of services provided individuals
not entitled to such services; and (b) initiate civil or criminal legal
actions for collecting amounts owed to the United States and/or for
prosecuting individuals who willfully or fraudulently obtained or seek
to obtain Title 38 medical benefits. This disclosure is consistent with
38 U.S.C. 5701(b)(6).
10. VA may disclose the names and addresses of Veterans or their
dependents and other information as is reasonably necessary to identify
such individuals concerning that those individuals' indebtedness to the
United States by virtue of their participation in a benefits program
administered by VA to a consumer reporting agency for purposes of
assisting in the collection of such indebtedness, provided that the
provisions of 38 U.S.C. 5701(g)(4) have been met.
11. VA may disclose information from this system, except FTI, or
information security review purposes to other source Federal agencies
who are parties to computer matching agreements involving the
information maintained in this system, but only to the extent that the
information is necessary and relevant to the review.
12. VA may disclose the name and other identifying information of
Veterans and their spouses to reported payers of earned or unearned
income in order to verify the identifier address, income paid, period
of employment, and health insurance information provided on the means
test, and to confirm income and demographic data provided by other
Federal agencies during income verification computer matching.
13. VA may disclose identifying information other than FTI, such as
Veterans' and their dependents' social security numbers, to other
Federal agencies for purposes of conducting computer matches to obtain
valid identifying, demographic, and income information and to verify
eligibility of certain Veterans who are receiving VA medical benefits
under Title 38, United States Code, or for the purpose of conducting a
computer match to obtain information to validate social security
numbers maintained in VA records.
14. VA may disclose the name and social security number of a
Veteran, spouse, and dependents, and other identifying information as
is reasonably necessary to the SSA and the Department of Health and
Human Services, for the purpose of conducting a computer match to
obtain information to validate the social security numbers maintained
in VA records.
15. VA may disclose relevant information from this system to
individuals, organizations, private or public agencies, etc., with whom
VA has a contract or agreement to perform such services as VA may deem
practicable for the purposes of laws administered by VA in order for
the contractor or subcontractor to perform the services of the contract
or agreement.
Note: This routine use does not authorize disclosure of FTI
received from the IRS or the SSA to contractors or subcontractors.
16. VA may, on its own initiative, disclose any information or
records to appropriate agencies, entities, and persons when (1) VA
suspects or has confirmed that the integrity or confidentiality of
information in the system of records has been compromised; (2) VA has
determined that as a result of the suspected or confirmed compromise,
there is a risk of embarrassment or harm to the reputations of the
record subjects, harm to economic or property interests, identity theft
or fraud, or harm to the security, confidentiality, or integrity of
this system or other systems or programs (whether maintained by VA or
another agency or entity) that rely upon the potentially compromised
information; and (3) the disclosure is to agencies, entities, or
persons whom VA determines are reasonably necessary to assist or carry
out VA efforts to respond to the suspected or confirmed compromise and
prevent, minimize, or remedy such harm. This routine use permits
disclosures by VA to respond to a suspected or confirmed data breach,
including the conduct of any risk analysis or provision of credit
protection services as provided in 38 U.S.C. 5724, as the terms are
defined in 38 U.S.C. 5727.
17. VA may disclose information to officials of the Merit Systems
Protection Board, or the Office of Special Counsel, when requested in
connection with appeals, special studies of the civil service and other
merit systems, review of rules and regulations, investigation of
alleged or possible prohibited personnel practices, and such other
functions, promulgated in 5 U.S.C. 1205 and 1206, or as may be
authorized by law.
18. VA may disclose information to the Federal Labor Relations
Authority (including its General Counsel) information related to the
establishment of jurisdiction, the investigation and resolution of
allegations of unfair labor practices, or information in connection
with the resolution of exceptions to arbitration awards when a question
of material fact is raised; to disclose information in matters properly
before the Federal Services Impasses Panel, and to investigate
representation petitions and conduct or supervise representation
elections.
19. Disclosure to other Federal agencies may be made to assist such
agencies in preventing and detecting possible fraud or abuse by
individuals in their operations and programs.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING,
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
Records are currently maintained on magnetic tape, magnetic disk,
optical disk, and paper at secure off-site facilities in Atlanta,
Georgia, and Austin, Texas. In January 2013, VA implemented a new
electronic data transmission process called Direct Connect, which is a
secure VPN tunnel to transmit and receive Veterans' household income
from IRS. It only affects the means in which the data is transmitted;
it does not affect the storage of the data.
RETRIEVABILITY:
Records (or information contained in records) maintained on paper
documents are indexed and accessed by the applicant's name, social
security number or case number and filed in case order number.
Automated records are indexed and retrieved by the Veteran's name,
social security number, Internal Control Number, or case number. The
spouse's name or social security number may be retrieved from the
automated income verification record.
[[Page 76900]]
ACCESS:
1. In accordance with national and locally established data
security procedures, access to the HEC Legacy system and the Enrollment
Database is controlled by unique entry codes (access and verification
codes). The user's verification code is set to be changed automatically
every 90 days. User access to data is controlled by role-based access
as determined necessary by supervisory and information security staff
as well as by management of option menus available to the employee.
Determination of such access is based upon the role or position of the
employee and functionality necessary to perform the employee's assigned
duties.
2. On an annual basis, employees are required to sign a computer
access agreement acknowledging their understanding of confidentiality
requirements. In addition, all employees receive annual privacy
awareness and information security training. Access to electronic
records is deactivated when no longer required for official duties.
Recurring monitors are in place to ensure compliance with nationally
and locally established security measures.
3. Access to the AITC is generally restricted to AITC staff, VA
Headquarters employees, custodial personnel, Federal Protective
Service, and authorized operational personnel through electronic
locking devices.
4. Specific key staffs are authorized access to HEC computer room
and all other persons gaining access to the computer rooms are
escorted. Programmer access to the information systems is restricted
only to staff whose official duties require that level of access.
SAFEGUARDS:
1. Electronic data transmissions between VA health care facilities,
HEC, and AITC are safeguarded by using VA's secure wide area network.
The transmission of electronic data between SSA and AITC is safeguarded
through the use of a secured, encrypted connection. Back-up of magnetic
media containing FTI is transported between AITC and the off-site
location in a locked storage container by an off-site vendor. Vendor
personnel do not have key access to the locked container. The locked
storage container is stored in a safe in a secured room at the off-site
storage location. Access to the secured room and the safe is limited to
authorized VA Information Technology staff only.
2. The software programs at HEC, AITC, and VA health care
facilities automatically flag records or events for transmission via
electronic messages based upon functionality requirements. The
recipients of the messages are controlled and/or assigned to the mail
group based on their role or position. Server jobs at each facility run
continuously to check for incoming and outgoing data to be transmitted
which needs to be parsed to files on the receiving end. All messages
containing data transmissions include header information that is used
for validation purposes. Consistency checks in the software are used to
validate the transmission, and electronic acknowledgment messages are
returned to the sending application. The VA Office of Cyber Security
has oversight responsibility for planning and implementing computer
security.
3. Working spaces and record storage areas at the HEC are secured
during all business hours, as well as during non-business hours. All
entrance doors require an electronic pass card, issued by the HEC
Personal Card Issuer, for entry when unlocked, and entry doors are
locked outside normal business hours. The card has restricted access
capability, which allows restriction of unauthorized personnel to
secured areas. Visitors are required to present identification and
sign-in at a specified location. Visitors are issued a pass card which
allows access to non-sensitive areas and are escorted by staff through
restricted areas. At the end of the visit, visitors are required to
turn in their card. The building is equipped with an intrusion alarm
system which is activated during non-business hours. This alarm system
is monitored by a private security service vendor. The HEC office space
occupied by employees with access to Veteran records is secured with an
electronic locking system, which requires a card for entry and exit of
that office space. Access to the AITC is generally restricted to AITC
staff, VA Headquarters employees, custodial personnel, Federal
Protective Service, and authorized operational personnel through
electronic locking devices. All other persons gaining access to the
computer rooms are escorted.
4. A number of other security measures are implemented to enhance
security and safeguard of electronic records such as automatic timeout
after a short period of inactivity and device locking after a pre-set
number of invalid logon attempts, for example.
5. Electronic data, except FTI, is transmitted from HEC and AITC to
VA health care facilities over VA secure wide area network.
6. Employees at the health care facility level do not have access
to FTI, nor do they have the ability to edit or view income tests
received from HEC as a result of the income match with IRS.
7. Only specific key staff and the ISO are authorized access to the
computer room. Programmer access to AITC and HEC databases, which
contain FTI, is restricted only to staff whose official duties require
that level of access. Contractor staff are not authorized access to the
production database.
8. On-line data, including FTI, reside on magnetic media in AITC
computer room which are highly secured. Backup media are stored in a
combination lock safe in a secured room within the same building and
access to the safe is restricted to the IT staff. Backup media are
stored by an off-site media storage vendor who picks up the media on a
weekly basis from HEC and AITC and returns the media to the off-site
storage via a locked storage container. Vendor personnel do not have
key access to the locked container.
9. Any sensitive information that may be downloaded to a personal
computer or printed to hard copy format is provided the same level of
security as the electronic records. All paper documents and informal
notations containing sensitive data are shredded prior to disposal. All
magnetic media (primary computer system) and personal computer disks
are degaussed prior to disposal or released off site for repair.
10. HEC and AITC fully comply with the Tax Information Security
Guidelines for Federal, State and Local Agencies (Department of
Treasury IRS Publication 1075) as it relates to access and protection
of such data. These guidelines define the management of magnetic media,
paper and electronic records, and physical and electronic security of
the data.
11. All new HEC employees receive initial information security and
privacy training and refresher training are provided to all employees
on an annual basis. HEC's ISO performs an Annual Information Security
(AIS) audit. This annual audit includes the primary computer
information system, the telecommunication system, and local area
networks. Additionally, the IRS performs periodic on-site inspections
to ensure the appropriate level of security is maintained for FTI. HEC
and AITC's ISO and AIS administrator additionally perform periodic
reviews to ensure security of the system and databases.
12. Identification codes and codes used to access HEC automated
communications systems and records systems, as well as security
profiles and possible security violations, are maintained on magnetic
media in a secure environment by the HEC ISO. For contingency purposes,
database back-
[[Page 76901]]
ups on removable magnetic media are stored off-site by a licensed and
bonded media storage vendor.
13. VA field facilities do not receive FTI from AITC or HEC.
14. Contractors and subcontractors are required to adhere to HEC's
safeguard and security requirements.
RETENTION AND DISPOSAL:
Depending on the record medium, records are destroyed by either
shredding or degaussing. Paper records are destroyed after they have
been accurately scanned on optical disks. Optical disks or other
electronic medium are deleted when all phases of the Veteran's appeal
rights have ended (10 years after the income year for which the means
test verification was conducted). Electronic data and magnetic media
received at AITC from SSA and IRS are destroyed 30 days after the data
have been validated as being a true copy of the original data. Summary
reports and other output reports are destroyed when no longer needed
for current operation. Records are disposed of in accordance with the
records retention standards approved by the Archivist of the United
States, NARA, and published in the Veterans Health Administration
Records Control Schedule 10-1. Regardless of the record medium, no
records will be retired to a Federal records center.Vet
SYSTEM MANAGER(S) AND ADDRESS:
Official responsible for policies and procedures: Chief Business
Office (10NB2A), VA Central Office, 810 Vermont Avenue NW., Washington,
DC 20420. Official maintaining the system: Director, Health Eligibility
Center, 2957 Clairmont Road, Atlanta, Georgia 30329.
NOTIFICATION PROCEDURE:
Any individual who wishes to determine whether a record is being
maintained in this system under his or her name or other personal
identifier or wants to determine the contents of such record should
submit a written request or apply in person to the Health Eligibility
Center. All inquiries must reasonably identify the records requested.
Inquiries should include the individual's full name, social security
number, and return address.
RECORD ACCESS PROCEDURES:
Individuals seeking information regarding access to and contesting
of income verification records may write to the Director, Health
Eligibility Center, 2957 Clairmont Road, Suite 200, Atlanta, Georgia
30329.
CONTESTING RECORD PROCEDURES:
(See Record Access Procedures above.)
RECORD SOURCE CATEGORIES:
Information in this systems of records may be provided by the
applicant, applicant's spouse or other family members; accredited
representatives or friends; employers and other payers of earned
income; financial institutions and other payers of unearned income;
health insurance carriers; other Federal agencies; the ``Patient
Medical Records--VA'' (24VA10P2) and the ``Enrollment and Eligibility
Records--VA'' (147VA16) systems of records; and Veterans Benefits
Administration (VBA) automated record systems (including the ``Veterans
and Beneficiaries Identification and Records Location Subsystem--VA''
(38VA23) and the ``VA Compensation, Pension, Education, and Vocational
Rehabilitation and Employment Records--VA'' (58VA21/22/28)).
[FR Doc. 2013-30228 Filed 12-18-13; 8:45 am]
BILLING CODE 8320-01-P