Department of Veterans Affairs (VA).
Notice of amendment to an existing System of Records.
As required by the Privacy Act of 1974 (title 5, United States Code (U.S.C.), Section 552a(e)), notice is hereby given that the Department of Veterans Affairs (VA) is amending the system of records currently entitled, “Shipboard Hazard and Defense Integrated Database—VA” (128VA008A) as set forth in the Federal Register 68 FR 56379. VA is amending the system by revising the System Number, System Name, System Location, Categories of Individuals Covered by the System, Categories of Records in the System, Authority for Maintenance of the System, Purpose, and Routine Uses of Records Maintained in the System, including Categories of Users and the Purposes of Such Uses, the System Manager, System Address and Notification and Records Access sections of the system notice. VA is republishing the system notice in its entirety.
Comments on the amendment of this system of records must be received no later than May 21, 2007. If no public comment is received, the new system will become effective May 21, 2007.
Written comments may be submitted through Start Printed Page 19771 www.Regulations.gov; by mail or hand-delivery to the Director, Regulations Management (00REG), U. S. Department of Veterans Affairs, 810 Vermont Ave., NW., Room 1068, Washington, DC 20420; or by fax to (202) 273-9026. Copies of comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8 a.m. and 4:30 p.m. Monday through Friday (except holidays). Please call (202) 273-9515 for an appointment. In addition, during the comment period, comments may be viewed online through the Federal Docket Management System.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Dat Tran, Director, Data Development and Analysis Service, (008A3), U.S. Department of Veterans Affairs, 810 Vermont Ave., NW., Washington, DC 20420, (202) 273-6482.End Further Info End Preamble Start Supplemental Information
I. Description of the Proposed Amendments to Systems of Records “Shipboard Hazard and Defense Integrated Database—VA” (128VA008A)
The System Name is changed from “Shipboard Hazard and Defense Integrated Database—VA” to the “Chemical and Biological Agent Exposure Database—VA” because the Department of Defense (DoD) will provide VA with individually-identified data on individuals whom DoD identifies as having been exposed (or possibly exposed) to chemical and biological agents while on active duty. The System Number is changed from 128VA008A to 128VA008 to reflect the current office within the VA Office of Policy and Planning (OPP), previously known as the Office of Policy, Planning, and Preparedness, that is the System Manager for the system of records.
VA is changing the System Location to reflect the fact that OPP also stores copies of electronic data on a secured server in VA's Austin Automation Center. VA is also amending the Storage and Safeguards portions of the notice to provide relevant information about the storage and safeguards for electronic data stored at the Austin Automation Center.
The Categories of Individuals Covered in the System portion of the System notice is amended to include all veterans, not just Project Shipboard Hazard and Defense (Project SHAD) and Project 112 veterans, whom DoD identifies as having been exposed (or possibly exposed) to chemical and biological agents while on active duty.
VA is expanding the Categories of Records in the System Section to include protected health information received from VA's Veterans Health Administration (VHA), financial-related information (i.e., VA and other Federal benefits etc.) for benefits utilization reports, as well as additional data elements from select VA databases currently providing information for this system of records. VA is also simplifying the description of the categories of records in the system by listing the various types of records maintained rather than continuing the current “laundry list” of records. For example, the new notice states that VA will maintain “personal identifiers” rather than listing name, social security number and veteran service number as is done in the current notice. VA is not deleting any records from the Categories of Records in the System.
The Authority for Maintenance of the System was previously the general regulatory authority of the Secretary of Veterans Affairs, section 501 of title 38, U.S.C. VA is revising this section of the notice to read title 38, U.S.C. 527, which mandates that the Department engage in gathering and conducting statistical analysis on data in order to evaluate and improve the delivery of title 38 benefits to America's veterans and their dependents.
VA is amending the Purposes section of the notice to reflect the duties that OPP performs with the data under section 527 of title 38, U.S.C.
VA is amending the Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System to reflect the change in how OPP stores records in VA Central Office. VA is also providing information concerning the data stored on the secured server at the Austin Automation Center.
Retrievability is amended to state the other data fields by which OPP will retrieve information from this system of records.
Safeguards are changed to reflect a new storage location, and enhanced security measures adopted since VA last published this notice.
The Systems Managers, Addresses, Notification, and Records Access Procedures Sections are amended to reflect new point of contact information and organizational name changes.
The Department has made minor edits to the System Notice for grammar and clarity purposes to reflect plain language, including changes to routine uses. These changes are not, and are not intended to be, substantive, and are not further discussed or enumerated.
II. Proposed Routine Use of Disclosures of Data in the System
VA is rewriting existing routine uses in the System using plain language. The use of plain language in these routine uses does not, and is not intended to, change the disclosures authorized under these routine uses. VA is amending, deleting, rewriting and reorganizing the order of the routine uses in this system of records, as well as adding new routine uses.
VA is amending the preamble before the listing of routine uses to state that the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule must also permit disclosure of individually-identifiable information from the system of records before OPP may disclose records under the routine use.
Routine Use Number 1 is not changed substantively.
VA is deleting current routine use number 2 because the Agency does not disclose information from this system of records under this routine use.
VA is deleting current routine use number 3 because the Agency does not disclose information from this system of records under this routine use.
VA is not amending current routine use number 4 substantively, but is renumbering it as routine use number 2 in the amended system of records notice.
VA is not amending current routine use number 5, but is renumbering it as routine use number 8 in the amended system of records notice.
VA is amending current routine use number 6 and renumbering it as routine use number 3. The new routine use states prior to disclosure that OPP will determine: (A) That the disclosure does not violate legal or policy limitations under which the record was provided, collected, or obtained; (B) that the study purpose (1) cannot be reasonably accomplished unless the record is provided in individually-identifiable form, and (2) warrants the risk to the privacy of the individual that additional exposure of the record might bring; and (C) that the recipient has agreed that (1) It will establish (if it hasn't already) reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record, (2) it will remove or destroy the information that identifies the individual at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the study, unless the recipient has presented adequate justification of a study or health nature for retaining such information, and (3) Start Printed Page 19772it will make no further use or disclosure of the record except (a) In emergency circumstances affecting the health or safety of any individual, (b) for use in another study, under these same conditions, and only with prior written authorization of the Department, (c) for disclosure to a properly identified person for the purpose of an audit related to the study, if information that would enable veterans or their dependents to be identified is removed or destroyed at the earliest opportunity consistent with the purpose of the audit, or (d) when required by law. VA will secure a written statement attesting to the recipient's understanding of, and willingness to abide by, these provisions.
In an effort to obtain health and other information, OPP may disclose limited individual identification information to another Federal agency for the purpose of matching and acquiring information held by that agency. Records that are matched with information owned by another Federal agency, such as DoD, will not be used for determining eligibility of benefits or services through VA or another Federal agency.
VA is renumbering current routine use number 7 as routine use number 4 and amending it to more accurately reflect the conditions under which VA, on its own initiative, may disclose information from this system of records for law enforcement purposes.
VA is deleting current routine use number 8 because VA does not anticipate releasing information from this system of records for the purpose stated in current routine use number 8.
VA is renumbering current routine use number 9 as routine use number 5, and amending it to more clearly state when OPP will disclose information to the Department of Justice or may itself disclose records in litigation involving the United States. In determining whether to disclose records under this routine use, VA will comply with the guidance promulgated by the Office of Management and Budget (OMB) in a May 24, 1985, memorandum entitled “Privacy Act Guidance—Update” currently posted at http://www.whitehouse.gov/omb/inforeg/guidance1985.pdf.
Routine use number 6 is a new routine use authorizing OPP to disclose individually-identifiable information to contractors or other entities that will provide services to OPP for which the recipient needs that information in order to perform the services.
Routine use number 7 is a new routine use that states the circumstances, and to whom, VA may disclose records in order to respond to, and minimize possible harm to individuals as a result of a data breach. This routine use is promulgated in order to meet VA's statutory duties under title 38, U.S.C. 5724 and the Privacy Act.
III. Compatibility of the Proposed Routine Uses
The Privacy Act permits VA to disclose information about individuals without their authorization for a routine use when the information will be used for a purpose that is compatible with the purpose for which we collected the information. In all of the routine use disclosures, either the recipient of the information will use the information in connection with a matter relating to one of VA's programs, will use the information to provide a benefit to VA, or the disclosure is required by law.
The notice of intent to publish and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of OMB as required by title 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.Start Signature
Approved: April 5, 2007.
Gordon H. Mansfield,
Deputy Secretary of Veterans Affairs.
Chemical and Biological Agent Exposure Database—VA”.
One location for electronic and paper records, following VA-approved procedures, is in the Office of the Director, Data Development and Analysis Service, (008A3), U.S. Department of Veterans Affairs, 810 Vermont Ave., NW., Washington, DC 20420. Additionally, electronic records are also placed on the Department of Veterans Affairs' (VA's) secured server which is housed at VA's Austin Automation Center, 1615 Woodward St., Austin, TX 78772. Records necessary for a contractor to perform under a VA-approved contract are located at the respective contractor's facility.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
Veterans identified by DoD or another government agency as having been exposed to any type of chemical (including psycho-chemical) and biological agents during active duty.
CATEGORIES OF RECORDS IN THE SYSTEM:
The records include personal identifiers, residential and professional contact data, population demographics, military service-related data, financial-related data, claims processing codes and information, and other VA and non-VA Federal benefit information. Additionally, some records may contain DoD health care-related data or VHA-originated health care information.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Title 38, U.S.C 527.
To measure and evaluate on a continuing basis all programs authorized under title 38, U.S.C., including analysis and review of policy and planning issues affecting VA programs, in order to support legislative, regulatory and policy recommendations, initiatives and decisions affecting VA programs and activities.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:
To the extent that records contained in the system include information protected by Title 45, Code of Federal Regulations (CFR) Parts 160 and 164 (i.e., individually identifiable health information) and title 38, U.S.C. 7332 (i.e., medical treatment information related to drug abuse, alcoholism or alcohol abuse, sickle cell anemia or infection with the human immunodeficiency virus), that information cannot be disclosed under a routine use unless there is also specific statutory authority in title 38, U.S.C. 7332 and regulatory authority in Title 45, CFR Parts 160 and 164 permitting disclosure.
1. Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.
2. Any disclosure from the system of records may be made to the National Archives and Records Administration (NARA) in records management inspections under title 44, U.S.C.
3. Any system records may be disclosed to a Federal agency for the conduct of research and data analysis to perform a statutory purpose of that Federal agency upon the prior written request of that agency, provided that there is legal authority under all applicable confidentiality statutes and regulations to provide the data and OPP has determined prior to the disclosure that OPP data handling requirements are satisfied. OPP may disclose limited individual identification information to another Federal agency for the purpose of matching and acquiring information held by that agency for OPP to use for the purposes stated for this system of records.Start Printed Page 19773
4. VA may disclose on its own initiative any information in this system, except the names and home addresses of veterans and their dependents, which is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal or regulatory in nature and whether arising by general or program statute or by regulation, rule or order issued pursuant thereto, to a Federal, State, local, tribal, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule or order. On its own initiative, VA may also disclose the names and addresses of veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto.
5. VA may disclose information in this system of records to the Department of Justice (DoJ), either on VA's initiative or in response to DoJ's request for the information, after either VA or DoJ determines that such information is relevant to DoJ's representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that disclosure of the records to the DoJ is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records.
6. Any system records may be disclosed to individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement for the performance of the services identified in the contract or agreement. The person performing the agreement or contract (or employees of the person) also may disclose records covered by the contract or agreement to any secondary entity or individual to perform an activity necessary to provide to VA the service identified in the contract or agreement as permitted under the contract or agreement.
7. VA may, on its own initiative, disclose information when VA reasonably believes that there may have been a data breach with respect to information in the system such that the confidentiality or integrity of information in the system of records may have been compromised to such agencies, entities, and persons who are reasonably necessary to assist in connection with the Department's efforts to respond to the suspected or confirmed data breach and prevent, minimize, or remedy such harm, including conduct of any risk analysis, or provision of credit protection services as provided in title 38, U.S.C. 5724.
8. Disclosure of information, excluding names and address (unless furnished by the requestor) for research purposes determined to be necessary and proper, may be made to epidemiological and other research facilities approved by the Under Secretary for Health.
DISCLOSURE TO CONSUMER REPORTING AGENCIES:
VA will not disclose information to consumer reporting agencies.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:
OPP's secured records are maintained electronically or remain in textual form. All portable storage devices and media are kept in a safe when not in immediate use. The devices and other media are located in a combination-locked safe which is secured inside a key-accessed room at the U.S. Department of Veterans Affairs, 810 Vermont Ave., NW., Washington, DC 20420. Other electronic data are placed on VA's segregated server which is housed at VA's Austin Automation Center, 615 Woodward St., Austin, TX 78772. Information stored on paper is kept locked in file cabinets when not in immediate use. Databases are temporarily placed on a secured server inside a restricted network area for data match purposes only. Information that resides on a segregated server is kept behind cipher locked doors with limited access. Requestors of OPP stored health information within VA, or from external individuals, contractors, organizations, and/or agencies with whom VA has a contract or agreement, must provide an equivalent level of security protection and comply with all applicable VA policies and procedures for storage and transmission as codified in VA directives such as but not limited to VA Directive 6504.
OPP's records may be retrieved by using a social security number, military service number, VA claim or file number, non-VA Federal benefit identifiers, and other personal identifiers.
This list of safeguards furnished in this system of records is a general statement of measures taken to protect data in this system of records and is not an exclusive list of measures taken. Other policies and protections apply. For example, HIPAA guidelines for protecting health information will be followed by adopting health-care-industry best practices in order to provide adequate safeguards. Further, VA policy directives that specify the standards that will be applied to protect information will be reviewed by VA staff and contractors through mandatory data privacy and security training annually.
All VA offices are protected from unauthorized access by security personnel seven days a week. Entrances and exits are monitored by security cameras and protected by an alarm system. All VA staff and visitors are required to either have a VA-issued employment identification card or a temporary visitor identification badge. All work stations are secured during daytime and evening hours.
Electronic data located in Washington, DC, are stored in a combination-key-locked safe which is secured inside a limited-access room. Authorized employee access to the limited-access room and the safe is based upon strict business needs as determined by the Assistant Secretary for Policy and Planning. Textual data are stored in key-locked cabinets inside secured rooms. Access to the server in Austin, TX, is generally limited by appropriate locking devices and restricted to authorized VA personnel.
Access to health information provided by VHA pursuant to a Business Associate Agreement (BAA) is restricted to those OPP employees and contractors who have a need for the information in the performance of their official duties related to the terms of the BAA. As a general rule, full sets of health care information are not provided for use unless authorized by the Assistant Secretary for Policy and Planning. File extracts provided for specific official uses will be limited to the minimum necessary records and contain only the information fields needed for the analysis. Data used for analyses will have individual identifying characteristics removed whenever possible.
Security complies with applicable Federal Information Processing Start Printed Page 19774Standards (FIPS) issued by the National Institute of Standards and Technology (NIST). Health information files containing unique identifiers such as social security numbers are encrypted to NIST verified FIPS 140-2 standard or higher for storage, transport, or transmission. All files stored or transmitted on laptops, workstations, or data storage devices are encrypted. Files are kept encrypted at all times except when data are in immediate use. These methods are applied in accordance with HIPAA Privacy and Security regulations.
All data requests must be received in writing, vetted through a review board, concurred on by the Assistant Secretary for Policy and Planning, and released under the auspices of a signed data use agreement. File extracts provided for specific official uses will be limited to contain only the information fields needed for the analysis. Data used for analyses will have individual identifying characteristics removed or encrypted whenever possible. Unencrypted sensitive variables will only be used for analysis as a last resort.
In the event of a contract or special project, VA may secure the services of contractors and/or subcontractors. In such cases, VA will maximize the utilization of encrypted data when possible. Contractors and their subcontractors are required to maintain the same level of security as VA staff for health care information that has been disclosed to them. Any data disclosed to a contractor or subcontractor to perform authorized analyses requires the use of Data Use Agreements (DUAs), Non-Disclosure Statements and BAAs to protect health information. Unless explicitly authorized in writing by VA, sensitive or protected data made available to the contractor and subcontractors shall not be divulged or made known in any manner to other parties or to any person. Other Federal or State agencies requesting health care information need to provide DUAs to protect data.
RETENTION AND DISPOSAL:
Records are destroyed or deleted when no longer needed for administrative, legal, audit, or other operational purposes in accordance with applicable, approved records disposition authority.
If the Archivist has not approved disposition authority for any records covered by the system notice, the System Manager will take immediate action to obtain an approved records disposition authority in accordance with VA Handbook 6300.1, Records Management Procedures. The records may not be destroyed until VA obtains an approved records disposition authority.
SYSTEM MANAGER(S) AND ADDRESS(ES):
OPP's system manager is the Director, Data Development and Analysis Service, (008A3), U.S. Department of Veterans Affairs, 810 Vermont Ave., NW., Washington, DC 20420.
An individual who wishes to determine whether a record is being maintained in this system under his or her name or other personal identifier, or wants to determine the contents of such record, should submit a written request to the Director, Office of Data Development and Analysis, (008A3), U.S. Department of Veterans Affairs, 810 Vermont Ave., NW., Washington, DC 20420. Such requests must contain a reasonable description of the records requested. In addition, identification of the individual requesting the information will be required in the written request and will minimally consist of the requester's name, signature, social security number, address, telephone number, and return address.
RECORD ACCESS PROCEDURES:
Individuals seeking information regarding access to and contesting of records maintained by OPP under his or her name or other personal identifier may write the System Manager named above and specify the information being requested or contested.
CONTESTING RECORDS PROCEDURES:
(See Notification procedure above.)
RECORD SOURCE CATEGORIES:
Information is obtained from VHA patient medical records, various automated record systems providing clinical and managerial support to VA health care facilities, records from VA's Veterans Benefits Administration, DoD, and other Federal agencies.End Supplemental Information
[FR Doc. E7-7440 Filed 4-18-07; 8:45 am]
BILLING CODE 8320-01-P