Skip to Content

Notice

Privacy Act of 1974

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Department of Veterans Affairs (VA).

ACTION:

Notice of amendment to system of records.

SUMMARY:

The Privacy Act of 1974 (5 U.S.C. 552a(e)(4)) requires that all agencies publish in the Federal Register a notice of the existence and character of their system of records. Notice is hereby given that VA is amending the system of records entitled “Consolidated Data Information System-VA” (97VA105) as set forth in the Federal Register 66 FR 3650-3653 dated January 16, 2001. VA is amending the system by revising the System Location, Categories of Records Maintained in the System, Purpose(s), Routine Uses of Records Maintained in the System, Retention and Disposal, System Manager and Record Source Categories. VA is republishing the system notice in its entirety.

DATES:

Comments on the amendment of this system of records must be received no later than September 17, 2007. If no public comment is received, the amended system will become effective September 17, 2007.

ADDRESSES:

Written comments may be submitted through http://www.Regulations.gov;​ by mail or hand-delivery to the Director, Regulations Management (00REG), Department of Veterans Affairs, 810 Vermont Ave., NW., Room 1068, Washington, DC 20420; or by fax to (202) 273-9026. Copies of comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8 a.m. and 4:30 p.m. Monday through Friday (except holidays). Please call (202) 273-9515 for an appointment. In addition, during the comment period, comments may be viewed online through the Federal Docket Management System (FDMS).

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Stephania H. Putt, Veterans Health Administration (VHA) Privacy Officer (19F2), Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420, (727) 320-1839.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

Under section 527 of Title 38, U.S.C., and the Government Performance and Results Act of 1993, Public Law 103-62, VA is required to measure and evaluate, on an ongoing basis, the effectiveness of VA benefit programs and services. In performing this required function, VA must collect, collate and analyze full statistical data regarding participation, provision of services, categories of beneficiaries, and planning of expenditures for all VA programs. This combined database is necessary for the Veterans Health Administration (VHA) to accurately and timely assess the current health care usage by the patient population served by VA, to forecast future demand for VA medical care by individuals currently eligible for service by VA medical facilities, and to understand the numerous implications of cross-usage between VA and non-VA health care systems. Start Printed Page 46131

As VA has widened its scope of the Centers for Medicare and Medicaid Services (CMS) data usage and further centralized the source of data in order to improve efficiency and protect privacy/security of data elements, it was necessary to implement changes to the management and use of these records. A summary of these changes follows:

1. The purpose of this system of records has been revised to add the need to use the records and information for audit and evaluation of Department programs, for determinations of eligibility for benefits and for research as defined by Common Rule.

2. The records are now maintained and retained at the primary and secondary VA recipient CMS data site locations listed in Appendix 5.

3. Under Categories of Records information from the Persian Gulf registry has been added and the types of CMS records maintained now includes health care utilization, demographic, enrollment, and survey/assessment files including veteran and non-veteran data. In addition, information on veterans enrolled for VA health care who have participated in the periodic “VHA Survey of Veteran Enrollees' Health and Reliance Upon VA” is now included in the system.

4. System Manager and Address was updated to reflect: Manager, Medicare and Medicaid Analysis Center, 100 Grandview Rd., Suite 114, Braintree, MA 02184.

Under section 264, Subtitle F of Title II of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Public Law 104-191, 100 STAT. 1936, 2033-34 (1996), the United States Department of Health and Human Services (HHS) published a final rule, as amended, establishing Standards for Privacy of Individually-Identifiable Health Information, 45 CFR Parts 160 and 164. VHA may not disclose individually-identifiable health information (as defined in HIPAA and the Privacy Rule, 42 U.S.C. 1320(d)(6) and 45 CFR 164.501) pursuant to a routine use unless either: (a) The disclosure is required by law, or (b) the disclosure is also permitted or required by the HHS Privacy Rule. The disclosures of individually-identifiable health information contemplated in the routine uses published in this amended system of records notice are permitted under the Privacy Rule or required by law. However, to also have authority to make such disclosures under the Privacy Act, VA must publish these routine uses. Consequently, VA is adding a preliminary paragraph to the routine uses portion of the system of records notice stating that any disclosure pursuant to the routine uses in this system of records notice must be either required by law or permitted by the Privacy Rule before VHA may disclosed the covered information. VA is also proposing to amend the following routine use disclosures of information maintained in the system:

  • Routine use 3 has been amended in its entirety. On its own initiative, the VA may disclose information, except for the names and home addresses of veterans and their dependents, to a Federal, State, local, tribal or foreign agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto. On its own initiative, the VA may also disclose the names and addresses of veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto.
  • Routine uses 4, 5, 7, and 8 have revised for ease of readability and clarification. VA is also proposing to add the following routine use disclosure of information maintained in the system:
  • Routine use 9 was added to disclose to appropriate agencies, entities, and persons under the following circumstances: When (1) It is suspected or confirmed that the security or confidentiality of information in the system of records has been compromised; (2) the Department has determined that as a result of the suspected or confirmed compromise there is a risk of embarrassment or harm to the reputations of the record subjects, harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by the Department or another agency or entity) that rely upon the compromised information; and (3) the disclosure is made to such agencies, entities, and persons who are reasonably necessary to assist in connection with the Department's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm.

The Privacy Act permits VA to disclose information about individuals without their prior written consent for a routine use when the information will be used for a purpose that is compatible with the purpose for which we collected the information. In all of the routine use disclosures described above, the recipient of the information will use the information in connection with a matter relating to one of VA's programs, will use the information to provide a benefit to VA, or disclosure is required by law.

The Report of Intent to Publish an Amended System of Records Notice and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of Office of Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

Start Signature

Approved: August 1, 2007.

Gordon H. Mansfield,

Deputy Secretary of Veterans Affairs.

End Signature

97VA105

SYSTEM NAME:

Consolidated Data Information System-VA.

SYSTEM LOCATION(S):

Records will be maintained at primary and secondary Department of Veteran Affairs (VA) recipient sites for the Centers for Medicare & Medicaid Services (CMS) data (see VA Appendix 5).

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Records include information concerning veterans, their spouses and their dependents, family members, active duty military personnel, and individuals who are not VA beneficiaries, but who receive health care services from the Veterans Health Administration (VHA).

CATEGORIES OF RECORDS IN THE SYSTEM:

Categories of records in the system will include veterans' names, addresses, dates of birth, VA claim numbers, social security numbers (SSNs), and military service information; medical benefit application and eligibility information; code sheets and follow-up notes; sociological, diagnostic, counseling, rehabilitation, drug and alcohol, dietetic, medical, surgical, dental, psychological, and/or psychiatric medical information; prosthetic, pharmacy, nuclear medicine, social work, clinical laboratory and radiology information; patient scheduling information; family information such as next of kin, spouse and dependents' names, addresses, social security numbers and dates of birth; family medical history; employment information; financial information; third-party health plan information; information related to registry systems, Start Printed Page 46132such as Ionizing Radiation, Gulf War and Agent Orange; date of death; VA claim and insurance file numbers; travel benefits information; military decorations; disability or pension payment information; amount of indebtedness arising from 38 U.S.C. benefits; medical and dental treatment in the Armed Forces and claim information; applications for compensation, pension, education and rehabilitation benefits; information related to incarceration in a penal institution; medication profile such as name, quantity, prescriber, dosage, manufacturer, lot number, cost and administration instruction; pharmacy dispensing information such as pharmacy name and address.

The records will include information on the Department of Defense (DoD) military personnel from two categories of DoD files: (1) Utilization files that contain inpatient and outpatient records, and (2) eligibility files from the Defense Eligibility Enrollment Reporting System (DEERS) containing data on all military personnel including those discharged from the Armed Services since 1972.

The records will include information on Medicare beneficiaries from CMS databases including: Health care usage, demographic, enrollment, and survey/assessment files including veteran and non-veteran data.

The records include information on Medicaid beneficiaries' utilization and enrollment from State databases.

The records will include information on veterans enrolled for VA health care who have participated in the periodic “VHA Survey of Veteran Enrollees” Health and Reliance Upon VA.”

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Section 527 of 38 U.S.C. and the Government Performance and Results Act of 1993, Public Law 103-62.

PURPOSE(S):

The purpose of this system of records is to conduct statistical studies and analyses which will support the formulation of Departmental policies and plans by identifying the total current health care usage of the VA patient population. The records and information may be used by VA for audit and evaluation of Department programs and for determinations of eligibility for benefits. The information may be used to conduct research.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSE OF SUCH USES:

VA may disclose protected health information pursuant to the following routine uses where required by law, or required or permitted by 45 CFR Parts 160 and 164.

1. Disclosure of identifying information, such as names, SSNs, demographic and utilization data, may be made to Federal, State, local, or tribal agencies such as the DoD, CMS, and Medicare Payment Advisory Commission (MedPAC), as part of statistical matching programs for the purpose of better identifying the total current health care usage of the patient population served by VA in order to forecast future demand for VA medical care by VA medical facilities.

2. Disclosure may be made to Federal, State, local, and tribal government agencies and national health organizations in order to assist in the development of programs that will be beneficial to claimants and assure that they are receiving all benefits to which they are entitled.

3. VA may disclose on its own initiative any information in this system, except the names and home addresses of veterans and their dependents, which is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal or regulatory in nature and whether arising by general or program statute or by regulation, rule or order issued pursuant thereto, to a Federal, State, local, tribal, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule or order. On its own initiative, VA may also disclose the names and addresses of veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto.

4. Disclosure may be made, excluding name and address (unless name and address are furnished by the requestor) for research purposes determined to be necessary and proper, to epidemiological and other research facilities approved by the System Manager or the Under Secretary for Health, or designee.

5. Any record in the system records may be disclosed to a Federal agency for the conduct of research and data analysis to perform a statutory purpose of that Federal agency upon the prior written request of that agency, provided that there is legal authority under all applicable confidentiality statutes and regulations to provide the data and the VHA Medicare and Medicaid Analysis Center (MAC) has determined prior to the disclosure that VA data handling requirements are satisfied. MAC may disclose limited individual identification information to another Federal agency for the purpose of matching and acquiring information held by that agency for MAC to use for the purposes stated for this system of records.

6. Disclosure may be made to National Archives and Records Administration (NARA), General Services Administration (GSA) in records management inspections conducted under authority of 44 U.S.C.

7. VA may disclose information in this system of records to the Department of Justice (DoJ), either on VA's initiative or in response to DoJ's request for the information, after either VA or DoJ determines that such information is relevant to DoJ's representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that disclosure of the records to the Department of Justice is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records.

8. Disclosure may be made to individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to perform such services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor, subcontractor, public or private agency, or other entity or individual with whom VA has an agreement or contract to perform the services of the contract or agreement. This routine use includes disclosures by the individual or entity performing the service for VA to any secondary entity or individual to perform an activity that is necessary for individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to provide the service to VA.

9. Any records may be disclosed to appropriate agencies, entities, and persons under the following circumstances: When (1) It is suspected or confirmed that the security or confidentiality of information in the Start Printed Page 46133system of records has been compromised; (2) the Department has determined that as a result of the suspected or confirmed compromise there is a risk of embarrassment or harm to the reputations of the record subjects, harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by the Department or another agency or entity) that rely upon the compromised information; and (3) the disclosure is made to such agencies, entities, and persons who are reasonably necessary to assist in connection with the Department's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING AND DISPOSING OF RECORDS IN THE SYSTEM:

STORAGE:

Data are maintained on magnetic tape, disk, or laser optical media.

RETRIEVABILITY:

Records may be retrieved by name, name and one or more criteria (e.g., dates of birth, death and service), SSN or VA claim number.

SAFEGUARDS:

1. Access to and use of these records is limited to those persons whose official duties require such access. Personnel screening is employed to prevent unauthorized disclosure.

2. Access to Automated Data Processing files is controlled at two levels: (1) Terminals, central processing units, and peripheral devices are generally placed in secure areas (areas that are locked or have limited access) or are otherwise protected; and (2) the system recognizes authorized users by means of an individually unique password entered in combination with an individually unique user identification code.

3. Access to automated records concerning identification codes and codes used to access various VA automated communications systems and records systems, as well as security profiles and possible security violations is limited to designated automated systems security personnel who need to know the information in order to maintain and monitor the security of VA's automated communications and veterans' claim records systems. Access to these records in automated form is controlled by individually unique passwords/codes. Agency personnel may have access to the information on a need to know basis when necessary to advise agency security personnel or for use to suspend or revoke access privileges or to make disclosures authorized by a routine use.

4. Access to VA facilities where identification codes, passwords, security profiles and possible security violations are maintained is controlled at all hours by the Federal Protective Service, VA or other security personnel and security access control devices.

RETENTION AND DISPOSAL:

Copies of back-up computer files will be maintained at primary and secondary VA recipient sites for CMS data (see Appendix 5). Records will be maintained and disposed of in accordance with the records disposal authority approved by the Archivist of the United States, the National Archives and Records Administration, and published in Agency Records Control Schedules.

SYSTEM MANAGER AND ADDRESS:

Manager, Medicare and Medicaid Analysis Center, 100 Grandview Rd., Suite 114, Braintree, MA 02184.

NOTIFICATION PROCEDURE:

Individuals wishing to inquire whether this system of records contains information about them should submit a signed written request to the Manager, Medicare and Medicaid Analysis Center, 100 Grandview Rd., Suite 114, Braintree, MA 02184.

RECORDS ACCESS PROCEDURES:

An individual who seeks access to records maintained under his or her name or other personal identifier may write the System Manager named above and specify the information being contested.

CONTESTING RECORD PROCEDURES:

(See Records Access Procedures above.)

RECORD SOURCE CATEGORIES:

Information may be obtained from the Patient Medical Records System (24VA136); Patient Fee Basis Medical and Pharmacy Records (23VA136); Veterans and Beneficiaries Identification and Records Location Subsystem (38VA23); Compensation, Pension, Education and Rehabilitation Records (58VA21/22); all other potential VA and non-VA sources of veteran demographic information; DoD utilization files and DEERS files; and CMS databases.

VA Appendix 5

Primary and Secondary VA Recipient Sites of CMS Data

1. Primary Site: Medicare and Medicaid Analysis Center, 100 Grandview Rd., Suite 114, Braintree, MA 02184.

2. Secondary Site: Veterans Health Administration (VHA) Office of the Assistant Deputy Under Secretary for Health (ADUSH) for Policy and Planning, 810 Vermont Avenue, NW., Washington, DC, 20420. Location of data for ADUSH at 811 Vermont Avenue, NW., Washington, DC, 20420; Silver Springs, MD; and/or Martinsburg, WV.

3. Secondary Site: VA Information Resource Center (VIReC), Hines VA Medical Center, 5th Ave & Roosevelt Ave, Hines, IL, 60141.

4. Secondary Site: VA Office of the Inspector General (OIG), 53CT, 1615 Woodward Street, Austin, TX, 78772.

5. Secondary Site: VA Austin Automation Center (AAC), 1615 Woodward Street, Austin, TX, 78722.

6. Secondary Site: VA Chief Business Office (CBO), Director of Business Development, 810 Vermont Ave, NW., Washington, DC, 20420.

7. Secondary Site: VISN Support Service Center (VSSC), 1615 Woodward Street, Austin, TX, 78722.

End Supplemental Information

[FR Doc. E7-16046 Filed 8-15-07; 8:45 am]

BILLING CODE 8320-01-P