Department of Veterans Affairs (VA).
Notice of Amendment of Systems of Records Notice “Healthcare Eligibility Records—VA”.
As required by the Privacy Act of 1974, 5 U.S.C. 552a(e), notice is hereby given that the Department of Veterans Affairs (VA) is amending the system of records currently entitled as “Healthcare Eligibility Records—VA” (89VA19) as established in Federal Register 59 FR 8677 dated 2/23/94 and amended in Federal Register 64 FR 13049 dated 3/16/99. VA is amending the system by revising the System Location; Categories of Records in the System; Routine Use Disclosure Statements; and Policies and Practices for Storing, Retrieving, Accessing, Retaining and Disposing of Records in the System, including Storage, Retrievability and Safeguards. VA is republishing the system notice in its entirety at this time.
Title 38 U.S.C. Section 1705, requires the Veterans Health Administration (VHA) to establish a system of annual patient enrollment. VHA determined that the Health Eligibility Center (HEC) database would be expanded to serve as the central enrollment database, thereby adding veteran eligibility and enrollment information in the database. Veterans' eligibility and enrollment information maintained in this database is shared with VA health care facilities involved in the veterans' care. The National Enrollment Database (NED) located at VA's Austin Automation Center (AAC), Austin, Texas, supports the national enrollment system. The NED is populated via nightly batch updates from the HEC. The extracts do not contain federal tax information.
In an effort to facilitate patient education about VA enrollment, VHA established a call center operated by contractors. The HEC shares certain veteran data with the contractor, to facilitate the contractor's ability to accurately respond to veteran inquiries relating to enrollment and eligibility information, and to assist in fulfilling requests for enrollment-related materials (brochures, application forms, etc.). Specific data shared with the contractor include veterans' names, social security numbers, addresses, phone numbers, dates of birth, enrollment priority groups and primary health care facilities. The contractor asks the veteran caller for his or her social security number (SSN) and date of birth when it is necessary to transfer the call to a VA Medical Center or HEC for further assistance. SSN and Date of Birth information assists VA Medical Center and HEC staffs in locating the veteran's records. Other data elements provided to the contractor are utilized to assist in advising the veteran on enrollment-related matters and to mail enrollment information to the caller. Veterans also contact the call center to provide change of address information. Any updated demographic data obtained from the caller by the contractor is submitted to the HEC through electronic mail. Information is secured through use of a dedicated T-1 line, which contains a firewall to secure the data.Start Printed Page 27753
Comments on the amendment of this system of records must be received no later than June 18, 2001. If no public comment is received, the new system will become effective June 18, 2001.
Written comments concerning the amendment of this system of records may be submitted to the Office of Regulations Management (02D), Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420. Comments will be available for public inspection at the above address in the Office of Regulations Management, Room 1158, between the hours of 8:00 a.m. and 4:30 p.m., Monday through Friday (except holidays).Start Further Info
FOR FURTHER INFORMATION CONTACT:
Veterans Health Administration (VHA) Privacy Act Officer, Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, D.C. 20420, telephone (727) 320-1839.End Further Info End Preamble Start Supplemental Information
The purpose for this system of records amendment is to expand the categories of individuals covered; to add a new routine use for the data contained in the system of records and to cover records to be maintained in the NED. The system location has been amended to reflect additional locations of certain data contained in the system of records, e.g., with or by contractor and records maintained at the AAC. The individuals covered by this system have been increased to include all enrolled veterans who have applied for VA health care services under Title 38, United States Code, Chapter 17, and their spouses and dependents as provided for in other provisions of Title 38, United States Code. Under the previous notice only, VA collected data on only non-service connected veterans and noncompensable, zero percent service-connected veterans.
The safeguards portion of the notice has been amended to describe the security provisions for information contained in the system of records for the NED and contractor sites.
A new routine use of the data is added to reflect that certain data contained in the system of records is shared with a contractor or subcontractor.
A supplementary statement has been added under retention and disposal of the records to reflect that records are disposed of in accordance with the records retention standards approved by the Archivist of the United States, National Archives and Records Administration, and published in VHA Records Control Schedule 10-1.
The HEC in Atlanta, Georgia, was originally established as the Income Verification Match Center (IVMC) to verify the income of non-service connected veterans with Internal Revenue Service (IRS) and Social Security Administration (SSA) information to verify the veteran's eligibility for VA health care benefits, as authorized by section 8051, Public Law 101-508. Section 8014 of Public Law 105-33 extended VA's matching authority through September 30, 2002.
Title 38, United States Code, Section 1705, requires VA to design, establish and operate a system of annual patient enrollment. As a matter of policy, VA has determined that the HEC database will be expanded to serve as the central repository for eligibility and enrollment data of veterans applying for, or receiving VA health care benefits. Veterans' enrollment information, such as the beginning and ending date of the enrollment period, enrollment status and primary health care facility, will be maintained in this database and provided to VA health care facilities involved in the veterans' care. This increases the types of records and individuals covered under the system.
To carry out the HEC programs, the Center receives electronic transmissions of eligibility and enrollment information on a nightly basis from VA health care facilities via the Department's electronic communications system (wide area network). These transmissions include personal, income and eligibility information, such as name, social security number, address, health insurance coverage, and other information concerning veteran's household income and eligibility status. Where relevant to the means test, these transmissions include information necessary to make such determination that is provided by the veteran. Compensation and pension award information contained in claims records administered by the Veterans Benefit Administration (VBA) is also sent to the HEC database by the AAC. This transmission is accomplished by using the Department's wide area network, ensuring consistency of eligibility information contained in records covered by this system. The HEC automatically sends this information over the VA's wide area network to VA medical facilities where the veteran received care within the past three years. VA medical facilities can query the HEC database to obtain information on veteran applicants who have not previously received health care at that facility. If available, updated information is transmitted to the requesting facility and loaded into the facility's database. Once in the facility database, this information is covered by another system of records.
The HEC submits record identifying information (name, social security number, data of birth, and sex) to SSA for social security number validation on the veteran, spouse or dependent. This data exchange is restricted to validation of SSN data that the VHA submits to SSA. SSA does not disclose SSN information. The validated social security number assists in matching a veteran's record maintained at one VA health care facility with records maintained at another and with records maintained on the individual by the VBA.
For certain veterans whose eligibility for VA health care is based on income, the validated social security number is also used to match VA records with SSA and IRS for income verification purposes. For veterans whose eligibility for VA health care is based on income, the HEC database contains earned and unearned income data received from IRS and SSA. However, no Federal Tax Information (FTI) data that the VA has obtained from IRS or SSA will be disclosed outside of the HEC or to a contractor or subcontractor. FTI information is tax information and tax return information obtained from the IRS or SSA, such as taxpayer's identity, source or amount of income, payment deductions, exemptions, assets, net worth, tax liability, tax withheld, deficiencies, over assessments or tax payments.
Routine use number 15 states relevant information from this system may be disclosed to individuals, organizations, private or public agencies, etc., with whom VA has a contract or agreement to perform such services as VA may deem practicable for the purposes of laws administered by VA in order for the contractor or subcontractor to perform the services of the contract or agreement. This routine use is being added to reflect that certain information contained in the system of records is shared with a contractor, and subcontractor as appropriate to perform the contracted services.
The notice of intent to publish and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of the Office of Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.Start Signature
Approved: April 25, 2001.
Anthony J. Principi,
Secretary of Veterans Affairs.
Health Eligibility Records—VA.
Records are maintained at the Health Eligibility Center (HEC), 1644 Tullie Circle, Atlanta, Georgia 30329; the contractor of record's site; and the National Enrollment Database (NED) VA Austin Automation Center (AAC), Austin, Texas.
CATEGORIES OF INDIVIDUALS COVERED BY THIS SYSTEM:
Veterans who have applied for health care services under Title 38, United States Code, Chapter 17; their spouses and dependents as provided for, in other provisions of Title 38, United States Code; and non-veterans inquiring about VA health care benefits.
CATEGORIES OF RECORDS IN THE SYSTEM:
The category of records in the system include:
National Enrollment Database (NED) records including: Medical benefit application and eligibility information; identifying information including name, address, date of birth, social security number, claim number, family information including spouse and dependent(s) name, address and social security number; employment information on veteran and spouse, including occupation, employer(s) name(s) and address(es); financial information concerning the veteran and the veteran's spouse including family income, assets, expenses, debts; third party health plan contract information, including health insurance carrier name and address, policy number and time period covered by policy; facility location(s) where treatment is provided; type of treatment provided, i.e., inpatient or outpatient; and dates of visits.
Health Eligibility Center (HEC) records including [formerly the Income Verification Match (IVM) record]: Federal Tax Information (FTI) generated as a result of income verification computer match with records from Internal Revenue Service (IRS) and the Social Security Administration (SSA); documents obtained during the notification, verification and due process periods, such as initial verification letters, income verification forms, final confirmation letters, due process letters, clarification letters and subpoena documentation. FTI is tax information and tax return information obtained from the IRS or SSA, such as taxpayer's identity, source or amount of income, payment deductions, exemptions, assets, net worth, tax liability, tax withheld, deficiencies, over assessments or tax payments. Individual correspondence provided to the HEC by veterans or family members including, but not limited to, copies of death certificates; DD 214, Notice of Separation; disability award letters; IRS documents (i.e., Form 1040's, W-2's, etc.); state welfare and food stamp applications; VA and other pension applications; VA Form 10-10EZ, Application for Medical Benefits; workers compensation forms; and various annual earnings statements, as well as pay stubs. VA may not disclose to any person in any manner FTI received from IRS and SSA except as necessary to determine eligibility for benefits in accordance with the Internal Revenue Code (IRC) 26 U.S.C. 6103 (l)(7). VA may not allow access to FTI by any contractor or subcontractor.
Call Center Records including: Veteran's name, social security number, address, date of birth, phone number, enrollment priority group and primary health care facility.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Title 38, United States Code, Sections 501 (a), 1705, 1722, and 5317.
Information in the system of records is used to update, verify and validate veteran eligibility, conduct income testing and verification activities; to validate social security numbers of veterans and spouses of those veterans receiving VA health care benefits; to ensure accuracy of veterans' eligibility information for medical care benefits; to operate an annual enrollment system; to update veteran eligibility; provide enrollment materials to educate veterans on enrollment; respond to veteran and non veteran inquiries on enrollment and eligibility; and to compile management reports.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:
To the extent that records contained in the system include information protected by 26 U.S.C. 6103(p)(4), i.e., the nature, source and amount of income, that information cannot be disclosed under a Routine Use set forth absent specific authorization from the IRS or the VA Office of General Counsel (024).
1. The record of an individual who is covered by this system may be disclosed to a member of Congress or staff person acting for the member when the member or staff person requests the record on behalf of, and at the written request of, that individual.
2. Disclosure of HEC (formerly IVM) records, as deemed necessary and proper to named individuals serving as accredited service organization representatives and other individuals named as approved agents or attorneys for a documented purpose and period of time, to aid beneficiaries in the preparation and presentation of their cases during the verification and/or due process procedures and in the presentation and prosecution of claims under laws administered by the Department of Veterans Affairs (VA).
3. In the event that information in this system of records maintained by this agency to carry out its functions, indicates a suspected violation or reasonably imminent violation of law, whether civil, criminal or regulatory in nature, and whether arising by general statute or a particular program statute, or by regulation, rule or order issued pursuant thereto, the relevant records may be referred at VA's initiative, as a routine use, to the appropriate agency, whether Federal, State, local or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, or rule, regulation or order issued pursuant thereto. However, names and addresses of veterans and their dependents will be released only to Federal entities.
4. Relevant information from this system of records may be disclosed as a routine use: in the course of presenting evidence to a court, magistrate or administrative tribunal, in matters of guardianship, inquests and commitments; to private attorneys representing veterans rated incompetent in conjunction with issuance of Certificates of Incompetency; and to probation and parole officers in connection with Court required duties.
5. Any information in this system may be disclosed to a VA Federal fiduciary or a guardian ad litem in relation to his or her representation of a veteran only to the extent necessary to fulfill the duties of the VA Federal fiduciary or the guardian ad litem.
6. Relevant information may be disclosed to attorneys, insurance companies, employers, third parties liable or potentially liable under health plan contracts, and to courts, boards, or commissions only to the extent necessary to aid VA in the preparation, presentation, and prosecution of claims authorized under Federal, State, or local laws, and regulations promulgated thereunder. Start Printed Page 27755
7. Relevant information may be disclosed to the Department of Justice and United States Attorneys in defense or prosecution of litigation involving the United States, and to Federal Agencies upon their request in connection with review of administrative tort claims filed under the Federal Tort Claims Act, 28 U.S.C. 2672.
8. Disclosure may be made to National Archives and Records Administration (NARA) and General Services Administration (GSA) in records management inspections conducted under authority of Title 44 United States Code.
9. Information in this system of records may be disclosed for the purposes identified below to a third party, except consumer reporting agencies, in connection with any proceeding for the collection of an amount owed to the United States by virtue of a person's participation in any benefit program administered by VA. Information may be disclosed under this routine use only to the extent that it is reasonably necessary for the following purposes: (a) To assist the VA in the collection of costs of services provided individuals not entitled to such services; and (b) to initiate civil or criminal legal actions for collecting amounts owed to the United States and/or for prosecuting individuals who willfully or fraudulently obtained or seek to obtain title 38 medical benefits. This disclosure is consistent with 38 U.S.C. 5701(b)(6).
10. The name and address of a veteran, other information as is reasonably necessary to identify such veteran, including personal information obtained from other Federal agencies through computer matching programs, and any information concerning the veteran's indebtedness to the United States by virtue of the person's participation in a benefits program administered by the VA may be disclosed to a consumer reporting agency for purposes of assisting in the collection of such indebtedness, provided that the provisions of 38 U.S.C. 5701(g)(4) have been met.
11. For computer matching program and Automated Data Processing (ADP) security review purposes, record information may be disclosed to teams from other source Federal agencies who are parties to computer matching agreements involving the information maintained in this system, but only to the extent that the information is necessary and relevant to the review.
12. The name and identifying information on a veteran and/or spouse may be provided to reported payers of earned and/or unearned income in order to verify the identifier provided, address, income paid, period of employment, and health insurance information provided on the means test and to confirm income and demographic data provided by other Federal agencies during income verification computer matching.
13. Identifying information, including Social Security Numbers, concerning veterans, their spouses, and the dependents of veterans may be disclosed to other Federal agencies for purposes of conducting computer matches to obtain valid identifying, demographic and income information to determine or verify eligibility of certain veterans who are receiving VA medical care under Title 38, United States Code.
14. The name and social security number of a veteran, spouse and dependents, and other identifying information as is reasonably necessary may be disclosed to the Social Security Administration, Department of Health and Human Services, for the purpose of conducting a computer match to obtain information to validate the social security numbers maintained in VA records.
15. Relevant information from this system may be disclosed to individuals, organizations, private or public agencies, etc., with whom VA has a contract or agreement to perform such services as VA may deem practicable for the purposes of laws administered by VA in order for the contractor or subcontractor to perform the services of the contract or agreement.
This routine use does not authorize disclosure of FTI received from the Internal Revenue Service or the Social Security Administration to contractors or subcontractors.
Policies and Practices for Storing, Retrieving, Accessing, Retaining and Disposing of Records in the System:
Records are maintained on magnetic tape, magnetic disk, optical disk and paper.
Records (or information contained in records) maintained on paper documents are indexed and accessed by the veteran's name, social security number or case number and filed in case order number. Automated veterans' health eligibility records are indexed and retrieved by the veteran's name, social security number or case number. Automated health eligibility record information on spouses may be retrieved by the spouse's name or social security number.
1. Data transmissions between VA health care facilities and the HEC and VA databases housed at VA's AAC are accomplished using the Department's wide area network. The software programs at the respective facilities automatically flag records or events for transmission based upon functionality requirements. VA health care facilities and the HEC control access to data by using VHA's Veterans Health Information System and Technology Architecture (VISTA), (formerly known as Decentralized Hospital Computer Program (DHCP) software modules), specifically Kernel and MailMan. Kernel utility programs provide the interface between operating systems, application packages and users. Once data are identified for transmission, records are stored in electronic mail messages, which are then transmitted via the Department's electronic communications system (wide area network) to specific facilities on the Department's wide area network. Server jobs at each facility run continuously to check for data to be transmitted and/or incoming data which needs to be parsed to files on the receiving end. All mail messages containing data transmissions include header information that is used for validation purposes. Consistency checks in the software are used to validate the transmission, and electronic acknowledgment messages are returned to the sending application. The Department's Telecommunications Support Service has oversight responsibility for planning security.
2. Working spaces and record storage areas at the HEC are secured during all business hours, as well as during non-business hours. All entrance doors require an electronic passcard for entry when unlocked, and entry doors are locked outside normal business hours. Electronic passcards are issued by the HEC Security Officer. HEC staff controls visitor entry by door release or escort. The building is equipped with an intrusion alarm system for non-business hours, and this system is monitored by a security service vendor. The office space occupied by employees with access to veteran records is secured with an electronic locking system, which requires a card for entry and exit of that office space. Access to the VA AAC is generally restricted to AAC staff, VA Headquarters employees, custodial personnel, Federal Protective Service and authorized operational personnel through electronic locking devices. All other persons gaining access to the computer rooms are escorted.Start Printed Page 27756
3. Strict control measures are enforced to ensure that access to and disclosure from all records, including electronic files and veteran specific data elements, stored in the HEC veteran database is limited to VA employees whose official duties warrant access to those files. The HEC automated record system recognizes authorized users by keyboard entry of a series of unique passwords. Once the employee is logged onto the system, access to the files is controlled by discrete menus which are assigned by the HEC computer system administration staff, upon request from the employee's supervisor and employee's demonstrated need to access the data to perform the employee's assigned duties. A number of other security measures are implemented to enhance security of electronic records (automatic timeout after short period of inactivity, device locking after pre-set number of invalid logon attempts, etc.). Employees are required to sign a user access agreement acknowledging their knowledge of confidentiality requirements, and all employees receive annual training on information security. Access is deactivated when no longer required for official duties. Recurring monitors are in place to ensure compliance with nationally and locally established security measures.
4. Veteran data is transmitted from the HEC to VA health care facilities and National Enrollment Database (NED) over the Department's computerized electronic communications system. Access to data in these files is controlled at the health care facility and NED level in accordance with nationally and locally established data security procedures. The NED is a database developed to support a national enrollment system. VA employees at these facilities are granted access to patient data on a “need-to-know” basis. All employees receive information security training and are issued unique access and verify codes. Employees are assigned computer menus that allow them to view and edit records as authorized by the supervisor. While employees at the health care facility may edit data which was initially input at the facility level, employees at the facility do not have edit access to income tests which originated at the HEC.
5. In addition to passcards, the HEC computer room requires manual entry of a security code prior to entry. Only the Automated Information System (AIS) staff and the HEC security officer are issued the security code to this area. Programmer access to the HEC database is restricted only to those AIS staff whose official duties require that level of access.
6. On-line data reside on magnetic media in the HEC computer room that is highly secured. Backup media are stored in a combination lock safe in a secured room within the same building; only information system staff has access to the safe. On a weekly basis, backup media are stored in off-site storage by a media storage vendor. The vendor picks up and returns the media in a locked storage container; vendor personnel do not have key access to the locked container.
7. Any sensitive information that may be downloaded to personal computer files in the HEC or printed to hard copy format is provided the same level of security as the electronic records. All paper documents and informal notations containing sensitive data are shredded prior to disposal. All magnetic media (primary computer system) and personal computer disks are degaussed prior to disposal or release off site for repair.
8. The IVM program of the HEC requires that HEC obtain veteran and spouse earned and unearned income data from IRS and SSA. The HEC complies fully with the Tax Information Security Guidelines for Federal, State and Local Agencies (Department of the Treasury IRS Publication 1075) as it relates to access and protection of such data. These guidelines define the management of magnetic media, paper and electronic records, and physical and electronic security of the data.
9. All new HEC employees receive initial information security training with refresher training provided to all employees on an annual basis. An annual information security audit is performed by the VA Regional Information Security Officer. This annual audit includes the primary computer information system, the telecommunication system, and local area networks. Additionally, the IRS performs periodic on-site inspections to ensure the appropriate level of security is maintained for Federal tax data. The HEC Information Security Officer and AIS administrator additionally perform periodic reviews to ensure security of the system and databases.
10. Identification codes and codes used to access HEC automated communications systems and records systems, as well as security profiles and possible security violations, are maintained on magnetic media in a secure environment at the Center. For contingency purposes, database back-ups on removable magnetic media are stored off-site by a licensed and bonded media storage vendor.
11. Neither field offices, the contractor administering the Call Center for VHA, nor the NED will receive FTI from HEC.
12. Contractor working spaces and record storage areas are secured during all business hours, as well as during non-business hours. All entrance doors require an electronic passcard for entry when unlocked, and entry doors are locked outside normal business hours. Electronic passcards are issued by the contractor's Security Officer. Visitor entry is controlled by the contractor's staff by door release and/or door escort. The building is equipped with an intrusion alarm system for non-business hours, and this system is monitored by a security service vendor.
13. Strict control measures are enforced to ensure that access to and disclosure from all records including electronic files and veteran specific data elements in the contractor veteran call tracking database are limited to contractor's employees whose official duties warrant access to those files. The automated record system recognizes authorized users by keyboard entry of a series of unique passwords. Once the employee is logged onto the system, access to files is controlled by discrete menus, assigned by the contractor computer system administration staff upon request from the employee's supervisor and the employee's demonstrated need to access the data to perform assigned duties. A number of other security measures are implemented to enhance security of electronic records (automatic timeout after short period of inactivity, device locking after pre-set number of invalid logon attempts, etc.). Employees are required to sign a user security policy agreement acknowledging their understanding of confidentiality requirements, and all employees receive annual training on information security. Access is deactivated when no longer required for official duties.
14. Contractors and subcontractors will adhere to the same safeguards and security requirements as the HEC is held to.
Retention and Disposal:
Depending on the record medium, records are destroyed by either shredding or degaussing. Paper records are destroyed after they have been accurately scanned on optical disks. Optical disks or other electronic medium are deleted when all phases of the veteran's appeal rights have ended (ten years after the income year for which the means test verification was conducted). Tapes received from SSA and IRS are destroyed 30 days after the Start Printed Page 27757data have been validated as being a true copy of the original data. Summary reports and other output reports are destroyed when no longer needed for current operation. Records are disposed of in accordance with the records retention standards approved by the Archivist of the United States, National Archives and Records Administration, and published in the VHA Records Control Schedule 10-1. Regardless of the record medium, no records will be retired to a Federal records center.
System Manager(s) and Addresses:
Official responsible for policies and procedures: Chief Information Officer (19), VA Central Office, 810 Vermont Avenue, NW., Washington, DC 20420. Official maintaining the system: Director, Health Eligibility Center, 1644 Tullie Circle, Atlanta, Georgia 30329.
An individual who wishes to determine whether a record is being maintained in this system under his or her name or other personal identifier or wants to determine the contents of such record, should submit a written request or apply in person to the Health Eligibility Center. All inquiries must reasonably identify the records requested. Inquiries should include the individual's full name, social security number and return address.
Record Access Procedures:
Individuals seeking information regarding access to and contesting of HEC records may write to the Director, HEC, 1644 Tullie Circle, Atlanta, Georgia 30329.
Contesting Record Procedures:
(See Record Access procedures above).
Record Source Categories:
Information in the systems of records may be provided by the veteran; veteran's spouse or other family members or accredited representatives or friends; employers and other payers of earned income; financial institutions and other payers of unearned income; health insurance carriers; other Federal agencies; “Patient Medical Records—VA” (24VA136) system of records; Veterans Benefits Administration automated record systems (including Veterans and Beneficiaries Identification and Records Location Subsystem—VA (38VA23); and the “Compensation, Pension, Education and Rehabilitation Records—VA” (58VA21/22).End Supplemental Information
[FR Doc. 01-12527 Filed 5-17-01; 8:45 am]
BILLING CODE 8320-01-P