Department of Veterans Affairs (VA).
Notice of amendment to system of records.
As required by the Privacy Act of 1974 (5 U.S.C. 552a(e), notice is hereby given that the Department of Veterans Affairs is amending the system of records currently entitled “Program Evaluation Research Data Management Records—VA” (107VA008B) as set forth in the Federal Register 66 FR 29633-35. VA is amending the system by revising the System Name; System Location; Categories of Individuals Covered by the System; Categories of Records in the System; Purpose(s); Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses; Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System; System Manager and Address(es): Notification Procedures; Record Access Procedure(s); Contesting Records Procedures; and Record Source Categories. VA will be publishing a new system of records notice to cover evaluation of non-health information. VA is republishing the system notice in its entirety.
Comments on the amendment of this system of records must be received no later than April 20, 2007. If no public comment is received, the new system will become effective April 20, 2007.
Written comments may be submitted through http://www.Regulations.gov; by mail or hand-delivery to the Director, Regulations Management (00REG), Department of Veterans Affairs, 810 Vermont Ave., NW., Room 1068, Washington, DC 20420; or by fax to (202) 273-9026. Copies of comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8 a.m. and 4:30 p.m. Monday through Friday (except holidays). Please call (202) 273-9515 for an appointment. In addition, during the comment period, comments may be viewed online through the Federal Docket Management System.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Dat Tran, Director, Office of Data Development and Analysis, (008A3), U.S. Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420, (202) 273-6482.End Further Info End Preamble Start Supplemental Information
I. Description of Proposed Systems of Records
While this System of Records has been amended to reflect the current organizational alignment, its number remains 107VA008B. The System Name is changed from “Program Evaluation Research Data Management Records—VA” to “Health Program Evaluation—VA” to more accurately reflect the scope of activity conducted with data from this system of records. Start Printed Page 13348
This System of Records has been refocused to apply to data gathered from all VA components, including protected health information (PHI) supplied by the Veterans Health Administration (VHA) that is needed to conduct data collection, storage and analyses on behalf of VHA for program evaluations, and analysis including descriptions of the utilization of services, demographic profiles of service or benefit users, utilization projections, forecasting, and trend analyses, and other analyses that characterize patterns of utilization, costs, and future service needs. A more complete description of the duties and activities of Office of Policy and Planning (OPP) are at http://www1.va.gov/op3/docs/008_org.pdf. OPP receives, maintains and uses VHA PHI under a Business Associate Agreement (BAA) between VHA and OPP. OPP receives, maintains, uses and discloses information from this system of records in accordance with these Rules. VHA periodically reviews the handling of its data to ensure that the requirements of these Rules are met.
The Safeguards section has been updated to reflect the additional security requirements and restrictions on the use of health information obtained from the Veterans Health Administration (VHA) in compliance with requirements of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, 45 CFR Parts 160 and 164. The Privacy and Security Rules became effective after the date of initial publication of this system of records. This portion of the amendment documents privacy and security procedures implemented earlier to reflect the requirements of these Rules.
The Department has made minor edits to the System Notice for grammar and clarity purposes to reflect plain language, including changes to routine uses. These changes are not, and are not intended to be, substantive, and are not further discussed or enumerated.
II. Proposed Amendments to Routine Use Disclosures of Data in the System
A statement clarifying that the routine use disclosure statements in this system of records does not provide authority for VA to disclose individually identifiable health information protected by 38 U.S.C. 7332 or the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule has been added. This means VA must have disclosure authority under 38 U.S.C. 7332, HIPAA, or both, where applicable, before disclosure under any routine use for data covered by these provisions. Further, routine uses are amended to provide consistency with the standards defined by Department of Health and Human Services under HIPAA.
Routine use number 1 clarifies the scope of records that can be disclosed.
Routine use number 2 is clarified as to the scope of records that can be disclosed.
Routine use number 3 is revised to specify the privacy requirements and information use safeguards as required by OPP when records are shared with other Federal agencies for their use or for OPP information matching needs.
Routine use number 4 is revised to specify the privacy requirements and information use safeguards as required by OPP when records are shared with contractors, consultants, and collaborating analysts who have been engaged by the VA.
Routine use number 5 specifies that system records may be disclosed to the Office of Management and Budget.
Routine use number 6 states that records may be disclosed to ensure data security, and to respond to a suspected compromise of covered data, including efforts to remedy any potential harm from the compromise. Section 5724 of title 38, United States Code, requires such actions. Also, in determining whether to disclose records under this routine use, VA will comply with the guidance promulgated by the Office of Management and Budget in a May 24, 1985, memorandum entitled “Privacy Act Guidance—Update”, currently posted at http://www.whitehouse.gov/omb/inforeg/guidance1985.pdf.
Routine use number 7 is clarified as to the scope of records that can be disclosed to the Department of Justice (DoJ).
Routine use number 8 is clarified as to the scope of records that can be disclosed for law enforcement purposes.
III. Compatibility of the Proposed Routine Uses
The Privacy Act permits VA to disclose information about individuals without their consent for a routine use when the information will be used for a purpose that is compatible with the purpose for which we collected the information. In all of the routine use disclosures described above, the recipient of the information will use the information in connection with a matter relating to one of VA's programs, will use the information to provide a benefit to VA, or disclosure is required by law.
The notice of intent to publish and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of the Office of Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.Start Signature
Approved: March 6, 2007.
Gordon H. Mansfield,
Deputy Secretary of Veterans Affairs.
Health Program Evaluation—VA.
The system of records is located in office of the Director, Office of Data Development and Analysis, (008A3), U.S. Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420. Records are stored on a secured server computer at the VA Austin Automation Center, 1615 Woodward Street, Austin, Texas 78722. Records not stored at the VA Austin Automation Center are stored on electronic media or laser optical media in a combination-protected safe which is secured inside a key-accessed room at the U.S. Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC, 20420. Records necessary for a contractor to perform analyses under a contract are located at the respective contractor's secure facility.
Categories of Individuals Covered by the System:
1. Veterans who have applied for healthcare services or benefits under Title 38, United States Code.
2. Veterans' spouse, surviving spouse, previous spouse, children, and parents who have applied for healthcare services or benefits under Title 38, United States Code.
3. Beneficiaries of other Federal agencies or other governmental entities.
4. Individuals examined or treated under contract or resource sharing agreements.
5. Individuals examined or treated for research or donor purposes.
6. Individuals who have applied for Title 38 benefits but who do not meet the requirements under Title 38 to receive such benefits.
7. Individual who were provided medical care under emergency conditions for humanitarian reasons.
8. Pensioned members of allied forces provided healthcare services under Title 38, United States Code.
Categories of Records in the System:
Records include identification numbers, contact and location information, demographic information, military service descriptions, residency characteristics, economic information, healthcare visit descriptions, patient Start Printed Page 13349assessments, medical test descriptions and results, diagnoses, disability assessments, treatments, pharmaceutical information, service utilization and associated medical staffing and resource costs, entitlements or benefits, patient survey results, and health status. The records include information created or collected during the course of normal clinical operations work and is provided by patients, employers, students, volunteers, contactors, subcontractors, and consultants. In addition, records also include social security numbers, military service numbers, claim or file numbers, and DoD's identification numbers.
Authority for Maintenance of the System:
Health-related qualitative, quantitative, and actuarial analyses and projections to support policy analyses and recommendations to improve VA services for veterans and their families. Analysis and review of policy and long-term planning issues affecting veterans programs to support legislative, regulatory and policy recommendations and initiatives.
Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses:
To the extent that records contained in the system include information protected by 45 CFR parts 160 and 164, i.e., individually identifiable health information, 38 U.S.C. 7332, i.e., medical treatment information related to drug abuse, alcoholism or alcohol abuse, sickle cell anemia or infection with the human immunodeficiency virus, or both, that information cannot be disclosed under a routine use unless there is also specific statutory authority in 38 U.S.C. 7332 and regulatory authority in 45 CFR parts 160 and 164 permitting disclosure.
1. Any system records disclosure may be made to a Member of Congress or to a Congressional staff member in response to an inquiry of the Congressional office made at the written request of the constituent about whom the record is maintained.
2. Any system records disclosure may be made to the National Archives and Records Administration as required in records management inspections under title 44 U.S.C.
3. Any system records may be disclosed to a Federal agency for the conduct of research and data analysis to perform a statutory purpose of that Federal agency upon the prior written request of that agency, provided that there is legal authority under all applicable confidentiality statutes and regulations to provide the data and OPP has determined prior to the disclosure that OPP data handling requirements are satisfied. OPP may disclose limited individual identification information to another Federal agency for the purpose of matching and acquiring information held by that agency for OPP to use for the purposes stated for this system of records.
4. Any system records may be disclosed to individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to perform such services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor, subcontractor, public or private agency, or other entity or individual with whom VA has an agreement or contract to perform the services of the contract or agreement. This routine use includes disclosures by the individual or entity performing the service for VA to any secondary entity or individual to perform an activity that is necessary for individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to provide the service to VA.
5. Any system records may be disclosed to the Office of Management and Budget in order for them to perform their statutory responsibilities of evaluating Federal programs.
6. Any records may be disclosed to appropriate agencies, entities, and persons under the following circumstances: When (1) it is suspected or confirmed that the security or confidentiality of information in the system of records has been compromised; (2) the Department has determined that as a result of the suspected or confirmed compromise there is a risk of embarrassment or harm to the reputations of the record subjects, harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by the Department or another agency or entity) that rely upon the compromised information; and (3) the disclosure is made to such agencies, entities, and persons who are reasonably necessary to assist in connection with the Department's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm.
7. VA may disclose information in this system of records to the Department of Justice, either on VA's initiative or in response to DoJ's request for the information, after either VA or DoJ determines that such information is relevant to DoJ's representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that disclosure of the records to the Department of Justice is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records.
In determining whether to disclose records under this routine use, VA will comply with the guidance promulgated by the Office of Management and Budget in a May 24, 1985, memorandum entitled “Privacy Act Guidance—Update”, currently posted at http://www.whitehouse.gov/omb/inforeg/guidance1985.pdf.
8. VA may disclose on its own initiative any information in this system, except the names and home addresses of veterans and their dependents, which is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal or regulatory in nature, and whether arising by general or program statute or by regulation, rule or order issued pursuant thereto, to a Federal, State, local, tribal, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule or order. On its own initiative, VA may also disclose the names and addresses of veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto.
Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System:
VA sensitive information, including individually identifiable health information, is stored on electronic media, laser optical media, on a segregated secure server or in paper form. Data stored on a secure server are located at the Austin Automation Center. Electronic media, or laser Start Printed Page 13350optical media data are kept locked in a safe when not in immediate use. The safe is secured inside a key-accessed room at OPP. Information stored on paper is kept locked in file cabinets when not in immediate use. Databases are temporarily placed on a secured server inside a restricted network area for data match purposes only. Information that resides on a segregated server is kept behind locked doors with limited access. Requestors of OPP stored health information within VA, or from external individuals, contractors, organizations, and/or agencies with whom VA has a contract or agreement, must provide an equivalent level of security protection and comply with all applicable VA policies and procedures for storage and transmission as codified in VA directives such as but not limited to VA Directive 6504.
Individually-identified health care information is kept in two forms. The first form is the original data file containing the names and social security numbers of the record subjects. OPP assigns unique codes derived from social security numbers to these individual records prior to conducting analyses on the data. The encryption key for social security numbers and other numerical identifiers of the individuals is stored in a safe in OPP. The original records may be retrieved using social security numbers, military service number, claim or file number, DoD's identification numbers, or other personal numerical identifiers. The records containing the encrypted identifiers may be retrieved only by those identifiers.
This list of safeguards furnished in this System of Record is a general statement of measures taken to protect health information. For example, HIPAA guidelines for protecting health information will be followed and OPP will adopt evolving health care industry best practices in order to provide adequate safeguards. Further, VA policy directives that specify the standards that will be applied to protect health information will be provided to VA staff and contractors through mandatory data privacy and security training.
Access to data storage areas is restricted to authorized VA employee or contract staff who have been cleared to work by the VA Office of Security and Law Enforcement. Health information file areas are locked after normal duty hours. VA facilities are protected from outside access by the Federal Protective Service and/or other security personnel.
Access to health information provided by the Veterans Health Administration (VHA) pursuant to a Business Associate Agreement (BAA) is restricted to those OPP employees and contractors who have a need for the information in the performance of their official duties related to the terms of the BAA. As a general rule, full sets of health care information are not provided for use unless authorized by the OPP Assistant Secretary. File extracts provided for specific official uses will be limited to the minimum necessary amount and contain only the information fields needed for the analysis. Data used for analyses will have individual identifying characteristics removed whenever possible.
Security complies with applicable Federal Information Processing Standards (FIPS) issued by the National Institute of Standards and Technology (NIST). Health information files containing unique identifiers such as social security numbers are encrypted to NIST-verified FIPS 140-2 standard or higher for storage, transport, or transmission. All files stored or transmitted on laptops, workstations, data storage devices and media are encrypted. Files are kept encrypted at all times except when data is in immediate use, per specifications by VA Office of Information Technology. NIST publications were consulted in development of security for this system of records.
Contractors and their subcontractors are required to maintain the same level of security as VA staff for health care information that has been disclosed to them. Any data disclosed to a contractor or subcontractor to perform authorized analyses requires the use of Data Use Agreements, Non-Disclosure Statements and Business Associates Agreements to protect health information. Unless explicitly authorized in writing by the VA, sensitive or protected data made available to the contractor and subcontractors shall not be divulged or made known in any manner to any other person. Other federal or state agencies requesting health care information need to execute Data Use Agreements to protect data.
OPP's work area is accessed for business-only needs. For data that is not stored on a secure server, the data is stored in a combination-protected safe which is secured inside a limited access room. Direct access to the safe is controlled by select individuals who possess background security clearances. Only a few employees with strict business needs or “need-to-know” access and completed background checks will ever handle the data once it is removed from the safe for data match purposes.
Retention and Disposal:
Records are maintained and disposed of in accordance with records disposition authority approved by the Archivist of the United States. If the Archivist has not approved disposition authority for any records covered by the system notice, the System Manager will take immediate action to have the disposition of records in the system reviewed and paperwork initiated to obtain an approved records disposition authority in accordance with VA Handbook 6300.1, Records Management Procedures. OPP will publish an amendment to this notice upon issuance of NARA-approved disposition authority. The records may not be destroyed until VA obtains an approved records disposition authority. OPP destroys electronic files when no longer needed for administrative, legal, audit, or other operational purposes. In accordance with title 36 CFR 1234.34, Destruction of Electronic Records, “electronic records may be destroyed only in accordance with a records disposition schedule approved by the Archivist of the United States, including General Records Schedules.”
System Manager(s) and Address(es):
Director, Office of Data Development and Analysis, (008A3), U.S. Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420.
An individual who wishes to determine whether a record is being maintained in this system under his or her name or other personal identifier, or wants to determine the contents of such record, should submit a written request to the Director, Office of Data Development and Analysis, (008A3), U.S. Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420. Such requests must contain a reasonable description of the records requested. All inquiries must reasonably identify the health care information involved and the approximate date that medical care was provided. Inquiries should include the patient's full name, social security number, telephone number and return address.
Record Access Procedures:
Individuals seeking information regarding access to and contesting of VA health information maintained by the Office of Policy and Planning may send a request by mail to the Director, Data Development and Analysis Service, (008A3), Department of Veterans Start Printed Page 13351Affairs, 810 Vermont Ave., Washington, DC 20420
Contesting Records Procedures:
(See Notification procedure above.)
Record Source Categories:
Information is obtained from VHA and other VA staff offices and Administrations, OPP's National Survey of Veterans, national surveys (e.g., National Long Term Care Survey, National Health Interview Survey), Federal agencies (e.g., Department of Defense, Department of Health and Human Services), state agencies, and other private and public health provider or insurance programs and plans.End Supplemental Information
[FR Doc. E7-5135 Filed 3-20-07; 8:45 am]
BILLING CODE 8320-01-P