Skip to Content

Notice

Privacy Act of 1974

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Department of Veterans Affairs.

ACTION:

Notice of Amendment of System of Records “Health Care Provider Credentialing and Privileging Records—VA.”

SUMMARY:

The Privacy Act of 1974 (5 U.S.C. 552(e)(4)) requires that all agencies publish in the Federal Register a notice of the existence and character of their systems of records. The Department of Veterans Affairs (VA) is amending the system of records, known as “Health Care Provider Credentialing and Privileging Records—VA” (77VA10Q) as set forth in the Federal Register 55 FR 30790 dated 12/6/01. VA is amending the system notice by revising the paragraphs on System Location, Categories of Records in the System, Routine Uses, System Manager(s) and Address, and Record Source Categories. VA is republishing the system notice in its entirety at this time.

DATES:

Comments on the amendment of this system of records must be received no later than April 25, 2008. If no public comment is received, the new system will become effective April 25, 2008.

ADDRESSES:

Written comments may be submitted through http://Start Printed Page 16098www.Regulations.gov; by mail or hand-delivery to the Director, Regulations Management (00REG), Department of Veterans Affairs, 810 Vermont Ave., NW., Room 1068, Washington, DC 20420; or by fax to (202) 273-9026. Copies of comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8 a.m. and 4:30 p.m. Monday through Friday (except holidays). Please call (202) 273-9515 for an appointment. In addition, during the comment period, comments may be viewed online through the Federal Docket Management System (FDMS).

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Veterans Health Administration (VHA) Privacy Act Officer, Department of Veterans Affairs, 810 Vermont Ave., NW., Washington, DC 20420, (704) 245-2492.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

VHA is responsible for providing medical care under chapter 17 of title 38 United States Code. As part of providing quality health care, VHA engages in the credentialing (verification of education, training, and qualifications) of the practitioners delivering this care. VHA has a centralized electronic data warehouse (VetPro) to store credentialing health care provider data and the images of the primary source verification of health care providers' credentials. The previously reported joint credentialing and privileging project between the VHA and the Department of Health and Human Services, Health Resources and Services Administration (DHHS/HRSA) was terminated in October 2003, and the VetPro system in its entirety returned to VA.

A secondary information source is one that provides credentialing data that are derived from a primary source, i.e., National Practitioner Data Bank (NPDB), Federation of State Medical Boards (FSMB), etc. The NPDB manages the Health Integrity and Protection Data Bank (HIPDB). The final regulations for the HIPDB are published in 45 CFR part 61, which is a national health care fraud and abuse control program. It is a national data bank to receive and disclose certain final, adverse actions against health care practitioners, providers and suppliers. VHA queries the HIPDB for all new appointments as well as part of the re-privileging process for licensed independent practitioners previously-privileged by VHA in the form of a combined query with the NPDB. As a secondary information source, information obtained from the HIPDB may require additional supporting documentation either from a primary source or additional secondary sources for corroboration. To assure provider identification, and appropriate matching of information entered into an electronic system, VHA captures unique provider identifiers such as name, Social Security number, national provider identifier, and unique physician identification number that VHA uses to ensure the credentialing information is appropriately associated to the correct provider. In addition to capturing the national provider identifier (NPI), VA will capture the associated taxonomy codes.

Validated credentialing information may be shared with other established data systems such as Veterans Information Systems Technology Architecture (VistA) and Decision Support System (DSS). The purpose of sharing credentialing information and associated data is to decrease the duplicative effort of both providers and staff in gathering the same information multiple times for inclusion in different databases used in VHA. These data are required for such activities as emergency medical responses in times of national disaster, telemedicine, and medical care cost recovery and will be disclosed only to the extent it is reasonably necessary to assist in the accomplishment of statutory or government-wide administrative mandates.

Amendments to the System Location include that electronic records may be maintained by VHA Office of Quality and Performance (OQP), a component thereof, or contractor or subcontractor of VHA/OQP. The Category of Records in the System is amended to more clearly specify the accessing and reporting to the HIPDB, and the FSMB.

Routine uses 17 and 18 are amended to incorporate querying and reporting obligations for the HIPDB. The System Manager(s) and Addresses are amended to reflect that records may be maintained by human resources management offices in addition to previously identified locations. The System Manager(s) and Addresses are also being amended to reflect the termination of the agreement between the DHHS/HRSA and VA/VHA in October 2003. Record Source Categories is being amended to include the HIPDB.

Routine use 21 was added for the purpose of disclosure to OPP will determine that: (A) The disclosure does not violate legal or policy limitations under which the record was provided, collected, or obtained; (B) the study purpose (1) cannot be reasonably accomplished unless the record is provided in individually-identifiable form, and (2) warrants the risk to the privacy of the individual that additional exposure of the record might bring; and (C) the recipient has agreed that (1) it will establish (if it hasn't already) reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record, (2) will remove or destroy the information that identifies the individual at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the study, unless the recipient has presented adequate justification of a study or health nature for retaining such information, and (3) will make no further use or disclosure of the record except (a) in emergency circumstances affecting the health or safety of any individual, (b) for use in another study, under these same conditions, and only with prior written authorization of the Department, (c) for disclosure to a properly identified person for the purpose of an audit related to the study, if information that would enable veterans or their dependents to be identified is removed or destroyed at the earliest opportunity consistent with the purpose of the audit, or (d) when required by law. Prior to disclosure, OPP will secure a written statement attesting to the recipient's understanding of, and willingness to abide by, these provisions.

Routine use 21 was added to disclose information to individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement. Routine use 22 was added in the event of mitigating risk and or harm.

Routine use 23 was added to disclosure information to other Federal agencies in the event of assisting such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.

An amendment was made to Routine use 8 to disclose information to the Department of Justice, either on VA's initiative or in response to DoJ's request for the information, after either VA or DoJ determines that such information is relevant to DoJ's representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that disclosure of the records to the DoJ is the use of the information is compatible with the purpose for which VA collected the records. Routine use 14 was amended to disclose information to officials of the Merit Systems Protection Board, or the Office of Special Counsel. Start Printed Page 16099

VA is revising and updating the systems of record notice 77VA10Q, “Health Care Provider Credentialing and Privileging Records—VA.”

The notice of intent to publish and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of the Office of Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (61 FR 6428), February 20, 1996.

Start Signature

Approved: March 12, 2008.

Gordon H. Mansfield,

Deputy Secretary of Veterans Affairs.

End Signature

77VA10Q

SYSTEM NAME:

Health Care Provider Credentialing and Privileging Records—VA.

SYSTEM LOCATION:

Records are maintained at each Department of Veterans Affairs (VA) health care facility. Address locations for VA facilities are listed in VA Appendix 1 biennial publication of VA system of records. In addition, information from these records or copies of records may be maintained at the Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420 and/or Veterans Integrated Service Network (VISN) Offices. Records for those health care providers who are contractors in a VA health care facility, or to VA for the delivery of health care to veterans and are credentialed by the contractor in accordance with Veterans Health Administration (VHA) policy, where credentialing information is received by VHA facilities, it will be maintained in accordance with this notice and VHA policy. Electronic copies of records may be maintained by VHA Office of Quality and Performance (OPQ), a component thereof, or a contractor or subcontractor of VHA/OQP. Back-up copies of the electronic data warehouse are maintained at off-site locations.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The records include information concerning health care providers currently or formerly employed or otherwise utilized by VHA and individuals who apply to VHA for employment and are considered for employment or appointment as health care providers. These records will include information concerning individuals who through a contractual or other agreement may be, or are, providing health care to VA patients. This may include, but is not limited to, audiologists, dentists, dietitians, expanded-function dental auxiliaries, licensed practical or vocational nurses, nuclear medicine technologists, nurse anesthetists, nurse practitioners, registered nurses, occupational therapists, optometrists, clinical pharmacists, licensed physical therapists, physician assistants, physicians, podiatrists, psychologists, registered respiratory therapists, certified respiratory therapy technicians, diagnostic and therapeutic radiology technologists, social workers, and speech pathologists.

CATEGORIES OF RECORDS IN THE SYSTEM:

The records in the system consist of information related to:

(1) The credentialing (the review and verification of an individual's qualifications for employment or utilization, which includes licensure, registration or certification, professional education and training, employment history, experience, appraisals of past performance, health status, etc.) of applicants who are considered for employment and/or appointment, for providing health services under a contract or other agreement, and/or for appointment to the professional staff at a VHA health care facility.

(2) The privileging (the process of reviewing and granting or denying a provider's request for clinical privileges to provide medical or other patient care services, within well-defined limits, which are based on an individual's professional license, registration or certification, experience, training, competence, health status, ability, and clinical judgment) health care providers who are permitted by law and by the medical facility to provide patient care independently and individuals whose duties and responsibilities are determined to be beyond the normal scope of activities for their profession;

(3) The periodic reappraisal of health care providers' professional credentials and the reevaluation of the clinical competence of providers who have been granted clinical privileges; and/or

(4) Records generated as part or result of accessing and reporting to the National Practitioner Data Bank (NPDB), the Health Integrity and Protection Data Bank, and the Federation of State Medical Boards (FSMB).

The records may include individually identifiable information (e.g., name, date of birth, gender, Social Security number, national provider number and associated taxonomy codes, and/or other personal identification number), address information (e.g., home and/or mailing address, home telephone number, e-mail address, facsimile number), biometric data, information related to education and training (e.g., name of medical or professional school attended and date of graduation, name of training program, type of training, dates attended, and date of completion). The records may also include information related to: the individual's license, registration or certification by a State licensing board and/or national certifying body (e.g., number, expiration date, name and address of issuing office, status including any actions taken by the issuing office or any disciplinary board to include previous or current restrictions, suspensions, limitations, or revocations); citizenship; honors and awards; type of appointment or utilization; service/product line; professional society membership; professional performance, experience, and judgment (e.g., documents reflecting work experience, appraisals of past and current performance and potential); educational qualifications (e.g., name and address of institution, level achieved, transcript, information related to continuing education); Drug Enforcement Administration and/or State controlled dangerous substance certification (e.g., current status, any revocations, suspensions, limitations, restrictions); information about mental and physical status; evaluation of clinical and/or technical skills; involvement in any administrative, professional or judicial proceedings, whether involving VA or not, in which professional malpractice on the individual's part is or was alleged; any actions, whether involving VA or not, which result in the limitation, reduction, revocation, or acceptance of surrender or restriction of the individual's clinical privileges; and, clinical performance information that is collected and used to support a determination of an individual's request for clinical privileges. Some information that is included in the record may be duplicated in an employee's official personnel folder.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Title 38 U.S.C. section 501(a) and section 7304(a)(2).

PURPOSE(S):

The information may be used for: Verifying the individual's credentials and qualifications for employment or utilization, appointment to the professional staff, and/or clinical privileges; advising prospective health care entity employers, health care professional licensing or monitoring bodies, the NPDB, or similar entities or activities of individuals covered by this system; accreditation of a facility by an Start Printed Page 16100entity such as the Joint Commission; audits, reviews and investigations conducted by staff of the health care facility, the Veterans Integrated Service Network (VISN) Directors and Division Offices, VA Central Office, VHA program offices, and the VA Office of Inspector General; law enforcement investigations; quality assurance audits, reviews and investigations; personnel management and evaluations; employee ratings and performance evaluations; and, employee disciplinary or other adverse action, including discharge. The records and information may be used for statistical analysis, to produce various management reports, evaluate services, collection, distribution and utilization of resources, and provide clinical and administrative support to patient medical care.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

1. A record from this system of records may be disclosed to any source from which additional information is requested (to the extent necessary to identify the individual, inform the source of the purpose(s) of the request, and to identify the type of information requested), when necessary to obtain information relevant to a Department decision concerning the hiring or retention of an employee, the issuance or reappraisal of clinical privileges, the issuance of a security clearance, the conducting of a security or suitability investigation of an individual, the letting of a contract, the issuance of a license, grant, or other benefits; or in response to scarce or emergency needs of the Department or other entities when specific skills are required.

2. A record from this system of records may be disclosed to an agency in the executive, legislative, or judicial branch, or the District of Columbia's Government in response to its request, or at the initiation of VA, information in connection with the hiring of an employee, appointment to the professional staff, the issuance of a security clearance, the conducting of a security or suitability investigation of an individual, the letting of a contract, the issuance of a license, grant, or other benefit by the agency, or the lawful statutory or administrative purpose of the agency to the extent that the information is relevant and necessary to the requesting agency's decision; or at the initiative of VA, to the extent the information is relevant and necessary to an investigative purpose of the agency.

3. Disclosure may be made to a Congressional office from the record or an individual in response to an inquiry from the Congressional office made at the request of that individual.

4. Disclosure may be made to NARA (National Archives and Records Administration) in records management inspections conducted under authority of title 44 United States Code.

5. Information from this system of records may be disclosed to a Federal agency or to a State or local government licensing board and/or to the Federation of State Medical Boards or a similar non-government entity which maintains records concerning individuals' employment histories or concerning the issuance, retention or revocation of licenses, certifications, or registration necessary to practice an occupation, profession or specialty, in order for the Department to obtain information relevant to a Department decision concerning the hiring, utilization, appointment, retention or termination of individuals covered by this system or to inform a Federal agency or licensing boards or the appropriate non-government entities about the health care practices of a currently employed, appointed, otherwise utilized, terminated, resigned, or retired health care employee or other individuals covered by this system whose professional health care activity so significantly failed to meet generally accepted standards of clinical practice as to raise reasonable concern for the safety of patients. These records may also be disclosed as part of an ongoing computer-matching program to accomplish these purposes.

6. Information may be disclosed to non-Federal sector (i.e., State, or local governments) agencies, organizations, boards, bureaus, or commissions (e.g., the Joint Commission). Such disclosures may be made only when: (1) The records are properly constituted in accordance with VA requirements; (2) the records are accurate, relevant, timely, and complete; and (3) the disclosure is in the best interest of the Government (e.g., to obtain accreditation or other approval rating). When cooperation with the non-Federal sector entity, through the exchange of individual records, directly benefits VA's completion of its mission, enhances personnel management functions, or increases the public confidence in VA's or the Federal Government's role in the community, then the Government's best interests are served. Further, only such information that is clearly relevant and necessary for accomplishing the intended uses of the information as certified by the receiving entity is to be furnished.

7. Information may be disclosed to a State or national certifying body which has the authority to make decisions concerning the issuance, retention or revocation of licenses, certifications or registrations required to practice a health care profession, when requested in writing by an investigator or supervisory official of the licensing entity or national certifying body for the purpose of making a decision concerning the issuance, retention or revocation of the license, certification or registration of a named health care professional.

8. VA may disclose information in this system of records to the Department of Justice (DoJ), either on VA's initiative or in response to DoJ's request for the information, after either VA or DoJ determines that such information is relevant to DoJ's representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that disclosure of the records to the Department of Justice is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records.

9. Hiring, appointment, performance, or other personnel credentialing related information may be disclosed to any facility or agent with which there is, or there is proposed to be, an affiliation, sharing agreement, partnership, contract, or similar arrangement, where required for establishing, maintaining, or expanding any such relationship.

10. Information concerning a health care provider's professional qualifications and clinical privileges may be disclosed to a VA patient, or the representative or guardian of a patient who due to physical or mental incapacity lacks sufficient understanding and/or legal capacity to make decisions concerning his/her medical care, who is receiving or contemplating receiving medical or other patient care services from the provider when the information is needed by the patient or the patient's representative or guardian in order to make a decision related to the initiation of treatment, continuation or discontinuation of treatment, or receiving a specific treatment that is proposed or planned by the provider. Disclosure will be limited to Start Printed Page 16101information concerning the health care provider's professional qualifications (professional education, training and current licensure/certification status), professional employment history, and current clinical privileges.

11. VA may disclose on its own initiative any information in this system, except the names and home addresses of veterans and their dependents, which is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal or regulatory in nature and whether arising by general or program statute or by regulation, rule or order issued pursuant thereto, to a Federal, State, local or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule or order. On its own initiative, VA may also disclose the names and addresses of veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto.

12. To disclose to the Federal Labor Relations Authority (including its General Counsel) information related to the establishment of jurisdiction, the investigation and resolution of allegations of unfair labor practices, or information in connection with the resolution of exceptions to arbitration awards when a question of material fact is raised; to disclose information in matters properly before the Federal Service Impasses Panel, and to investigate representation petitions and conduct or supervise representation elections.

13. To disclose to the VA-appointed representative of an employee all notices, determinations, decision, or other written communications issued to the employee in connection with an examination ordered by VA under fitness-for-duty examination procedures or Agency-filed disability retirement procedures.

14. To disclose information to officials of the Merit Systems Protection Board, when requested in connection with appeals, special studies of the civil service and other merit systems, review of rules and regulations, investigation of alleged or possible prohibited personnel practices, and such other functions, promulgated in 5 U.S.C. 1205 and 1206, or as may be authorized by law.

15. To disclose information to the Equal Employment Opportunity Commission when requested in connection with investigations of alleged or possible discriminatory practices, examination of Federal affirmative employment programs, or the other functions of the Commission as authorized by law or regulation.

16. To disclose the information listed in 5 U.S.C. 7114(b)(4) to officials of labor organizations recognized under 5 U.S.C., chapter 71 when relevant and necessary to their duties of exclusive representation concerning personnel policies, practices, and matters affecting working conditions.

17. Identifying information in this system, including name, address, Social Security number and other information as is reasonably necessary to identify such individual, may be disclosed to the NPDB and the HIPDB at the time of hiring, appointment, utilization, and/or clinical privileging/reprivileging of physicians, dentists and other health care practitioners, and other times as deemed necessary by VA, in order for VA to obtain information relevant to a Department decision concerning the hiring, appointment, utilization, privileging/reprivileging, retention or termination of the individual.

18. Relevant information from this system of records may be disclosed to the NPDB, HIPDB, and/or State Licensing Board in the State(s) in which a practitioner is licensed, in which the VA facility is located, and/or in which an act or omission occurred upon which a medical malpractice claim was based when VA reports information concerning: (1) Any payment for the benefit of a physician, dentist, or other licensed health care practitioner which was made as the result of a settlement or judgment of a claim of medical malpractice if an appropriate determination is made in accordance with agency policy that payment was related to substandard care, professional incompetence or professional misconduct on the part of the individual; (2) a final decision which relates to possible incompetence or improper professional conduct that adversely affects the clinical privileges of a physician or dentist for a period longer than 30 days; or, (3) the acceptance of the surrender of clinical privileges or any restriction of such privileges by a physician or dentist either while under investigation by the health care entity relating to possible incompetence or improper professional conduct, or in return for not conducting such an investigation or proceeding. These records may also be disclosed as part of a computer-matching program to accomplish these purposes.

19. In response to a request about a specifically identified individual covered by this system from a prospective Federal or non-Federal health care entity employer, the following information may be disclosed: (a) Relevant information concerning the individual's professional employment history including the clinical privileges held by the individual; (b) relevant information concerning a final decision that results in a voluntary or involuntary limitation, reduction or loss of clinical privileges; and (c) relevant information concerning any payment that is made in settlement (or partial settlement) of, or in satisfaction of a judgment in, a medical malpractice action or claim and, when through a peer review process that is undertaken pursuant to VA policy, negligence, professional incompetence, responsibility for improper care, and/or professional misconduct has been assigned to the individual.

20. Disclosure may be made to any Federal, State, local, tribal or private entity in response to a request concerning a specific provider for the purposes of credentialing providers who provide health care at multiple sites or move between sites. Such disclosures may be made only when: (1) The records are properly constituted in accordance with VA requirements; (2) the records are accurate, relevant, timely, and complete; and (3) disclosure is in the best interests of the Government (i.e., to meet the requirements of contracts, sharing agreements, partnerships, etc.). When exchange of credentialing information through the exchange of individual records, directly benefits VA's completion of its mission, enhances public confidence in VA's or Federal Government's role in the delivery of health care, then the best interests of the Government are served.

21. Disclosure may be made to individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to perform such services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor, subcontractor, public or private agency, or other entity or individual with whom VA has an agreement or contract to perform the services of the contract or agreement. This routine use includes disclosures by the individual or entity performing the service for VA to any secondary entity or individual to perform an activity that is necessary for individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to provide the service to VA. Start Printed Page 16102

22. VA may, on its own initiative, disclose any information or records to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that the integrity or confidentiality of information in the system of records has been compromised; (2) the Department has determined that as a result of the suspected or confirmed compromise there is a risk of embarrassment or harm to the reputations of the record subjects, harm to economic or property interests, identity theft or fraud, or harm to the security, confidentiality, or integrity of this system or other systems or programs (whether maintained by the Department or another agency or entity) that rely upon the potentially compromised information; and (3) the disclosure is to agencies, entities, or persons whom VA determines are reasonably necessary to assist or carry out the Department's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. This routine use permits disclosures by the Department to respond to a suspected or confirmed data breach, including the conduct of any risk analysis or provision of credit protection services as provided in 38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727.

23. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:

STORAGE:

Records are maintained on paper documents or in electronic format. Information included in the record may be stored on microfilm, magnetic tape or disk. Records are maintained at the employing VHA health care facility. If the individual transfers to another VHA health care facility, the record is transferred to the new location, if appropriate.

RETRIEVABILITY:

Records are retrieved by the names and Social Security number or other assigned identifiers, e.g., the National Provider Identifier (NPI), of the individuals on whom they are maintained.

SAFEGUARDS:

1. Access to VA working and storage areas in VA health care facilities is restricted to VA employees on a “need to know” basis; strict control measures are enforced to ensure that disclosure to these individuals is also based on this same principle. Generally, VA file areas are locked after normal duty hours and the health care facilities are protected from outside access by the Federal Protective Service or other security personnel.

2. Access to computer room within the health care facilities is generally limited by appropriate locking devices and restricted to authorized VA employees and vendor personnel. Automated data processing peripheral devices are generally placed in secure areas (areas that are locked or have limited access) or are otherwise protected. Information in the Veterans Information Systems Technology Architecture (VistA) system may be accessed by authorized VA employees. Access to file information is controlled at two levels; the system recognizes authorized employees by a series of individually unique passwords/codes as a part of each data message, and the employees are limited to only that information in the file that is needed in the performance of their official duties.

3. Access to records in VA Central Office and the VISN directors and division offices is only authorized to VA personnel on a “need-to-know” basis. There is limited access to the building with visitor control by security personnel.

4. The automated system is Internet enabled and will conform to all applicable Federal Regulations concerning information security. The automated system is protected by a generalized security facility and by specific security techniques used within the application that accesses the data file and may include individually unique passwords/codes and may utilize Public Key Infrastructure (PKI) personal certificates. Both physical and system security measures will meet or exceed those required to provide an adequate level of protection for host systems. Access to file information is limited to only that information in the file that is needed in the performance of official duties. Access to computer rooms is restricted generally by appropriate locking devices to authorized operational personnel. Information submitted to the automated electronic system is afforded the same protections as the data that are maintained in the original files. Remote on-line access from other agencies to the data storage site is controlled in the same manner. Access to the electronic data is supported by encryption and the Internet server is insulated by a firewall.

RETENTION AND DISPOSAL:

Paper records are retired to the VA Records Center and Vault (VA RC&V) 3 years after the individual separates from VA employment or when no longer utilized by VA (in some cases, records may be maintained at the facility for a longer period of time) and are destroyed 30 years after separation. Paper records for applicants who are not selected for VA employment or appointment are destroyed 2 years after non-selection or when no longer needed for reference, whichever is sooner. Electronic records are transferred to the Director, Credentialing and Privileging Program, Office of Quality and Performance, VA Central Office, when the provider leaves the facility. Information stored on electronic storage media is maintained and disposed of in accordance with records disposition authority approved by the Archivist of the United States.

SYSTEM MANAGER(S) AND ADDRESS:

Official responsible for policies and procedures: Director, Credentialing and Privileging Program, Office of Quality and Performance (10Q), Veterans Health Administration, Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420.

Officials maintaining the system: (1) The chief of staff at the VA health care facility where the provider made application, is employed, or otherwise utilized; (2) the credentialing coordinator of the VA health care facility for individuals who made application for employment or other utilization, or providers currently or previously employed or otherwise utilized at; (3) human resources management offices of the VA health care facility for individuals who made application for employment or other utilization, or providers currently or previously employed or otherwise utilized; (4) VA Central Office or at a VISN location; The electronic data will be maintained by VHA/OQP, a component thereof, or a contractor or subcontractor of VHA/OQP.

NOTIFICATION PROCEDURE:

Individuals who wish to determine whether this system of records contains information about them should contact the VA facility location at which they made application for employment or appointment, or are or were employed. Inquiries should include the employee's full name, Social Security number, date of application for employment or appointment or dates of employment or appointment, and return address. Start Printed Page 16103

RECORD ACCESS PROCEDURES:

Individuals seeking information regarding access to and contesting of records in this system may write, call or visit the VA facility location where they made application for employment or appointment, or are or were employed.

CONTESTING RECORDS PROCEDURES:

(See Record Access Procedures).

RECORD SOURCE CATEGORIES:

Information in this system of records is provided by the applicant/employee, or obtained from State licensing boards, Federation of State Medical Boards, National Council of State Boards of Nursing, National Practitioner Data Bank, Health Integrity and Protection Data Bank, professional societies, national certifying bodies, current or previous employers, other health care facilities and staff, references, educational institutions, medical schools, VA staff, patient, visitors, and VA patient medical records.

End Supplemental Information

[FR Doc. E8-6143 Filed 3-25-08; 8:45 am]

BILLING CODE 8320-01-P