Department of Veterans Affairs (VA).
Notice of Amendment to System of Records.
As required by the Privacy Act of 1974, 5 U.S.C. 552a(e), notice is hereby given that the Department of Veterans Affairs (VA) is amending the system of records currently entitled “My HealtheVet Administrative Records—VA” 130VA19 as set forth in the Federal Register 193 FR 59991. VA is amending the system by revising the Routine Uses of Records Maintained in the System and the Categories of Records in the System, Location, and Purpose. VA is republishing the system notice in its entirety.
Comments on the amendment of this system of records must be received no later than December 17, 2010. If no public comment is received, the amended system will become effective December 17, 2010.
Written comments may be submitted through http://www.Regulations.gov; by mail or hand-delivery to Director, Regulations Management (02REG), Department of Veterans Affairs, 810 Vermont Avenue, NW., Room 1068, Washington, DC 20420; or by fax to (202) 273-9026. Comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8 a.m. and 4:30 p.m., Monday through Friday (except holidays). Please call (202) 461-4902 (this is not a toll-free number) for an appointment. In addition, during the comment period, comments may be viewed online through the Federal Docket Management System (FDMS) at http://www.Regulations.gov.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Veterans Health Administration (VHA) Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420; telephone (704) 245-2492.End Further Info End Preamble Start Supplemental Information
Background: My HealtheVet (MHV) is a web-based personal health record Start Printed Page 70366system that provides Veterans with information and tools that they can use to increase their knowledge about health conditions, increase communication with their care providers and improve their own health. Level one Veterans (who have a MHV account hosted behind the VA firewall which follows VA approved guidelines for user name and strong password) are able to access health education tools and resources, create and maintain a secure comprehensive personal health record, and request VA prescription refills online. Authenticated level two Veterans are able to receive electronic copies of their health information, view VA wellness reminders, communicate with their providers through secure messaging, and access a number of other functions and options related to their health maintenance and health information. VA also provides, through a web-based environment, a secure and private health space where Veterans can enter their own personal and medical information in a “self-entered” health information section.
Electronic copies of health information are not considered VA authoritative records, nor are they considered part of the VA system of records once they are downloaded into the Veteran's secure and private health space. The Veteran's self-entered health information is also owned and maintained by the Veteran in the My HealtheVet secure and private health space and is not by itself a part of the VA's system of records. This self-entered health information may be included in the Veteran's official VA electronic health record upon the Veteran's request and/or upon VA's determination that it is appropriate to include it in the official medical record.
Certain applications of My HealtheVet may generate or result in data and information that is included in another VA system of records, such as secure messages which are generated from the My HealtheVet application but are included in 24VA19 system of records due to the potential for clinically relevant information to be contained within a secure message. Administrative data associated with such applications will be included in the My HealtheVet Administrative Records—VA system of records.
Certain applications of My HealtheVet may interface with other VA maintained programs or applications to allow communication from the Veteran to the specific application or program, such as eBenefits applications, a VA/DoD joint portal. Certain administrative data may be maintained by My HealtheVet as a result of these applications or exchanges; however, the VA maintained program or application receiving the information will maintain the authoritative information of record.
My HealtheVet may also be used, upon permission from the Veteran, as a Health Information Exchange point, between a VA approved agency or organization and the Veteran's personal health record.
VA does not provide access to the Veteran's personal health information maintained in My HealtheVet in any situation, including medical emergency situations. If a non-VA health care provider requires information from VA medical records to treat a Veteran patient, the non-VA health care provider must obtain the Veteran's consent to release information and contact the VA facility where the Veteran patient was last treated to obtain information.
Delegation of My HealtheVet will allow Veterans to share all or part of the information in their account with other individuals that they designate, such as family members, and VA and non-VA health care providers.
In order to administer the My HealtheVet program and support the provision of the above benefits to Veterans, VHA retains administrative information, including personally identifiable information on users of My HealtheVet. In addition, VHA houses the patient's self-entered information in a separate database, but the administrative and patient data files can be linked. This administrative information is stored in the My HealtheVet Administrative Records System, and constitutes a separate system of records.
I. Description of Proposed System of Records
The My HealtheVet Administrative Records System contains administrative information created or collected during the course of operating My HealtheVet, and is provided by Veterans and other qualified individuals, their delegates and grantees, Veterans Health Information Systems and Technology Architecture (VistA) IT systems, VA employees, contractors, and subcontractors. At this time, the My HealtheVet program is planning to maintain minimal administrative records at each local facility, while maintaining more comprehensive administrative records at a central location, VA National Data Center or VA Health Data Warehouse Repository. The records kept locally support the local VA My HealtheVet training programs and applications, and VA's annual reporting requirements under the Freedom of Information Act (FOIA) for those Veterans who request electronic access to copies of key portions of their health records.
The more comprehensive repository of administrative information is maintained at a central location. This information is used to support My HealtheVet electronic services, such as requests for prescription refill, co-payment and appointment information, entry of personal health metrics, and Veteran requests for electronic copies of their health information. This information may also be used for business administrative reports for system operators and VA managers to ensure that the My HealtheVet system is meeting performance expectations and being used within legal boundaries.
The information needed to support My HealtheVet program activities and electronic services includes such information as: the person's full name; My HealtheVet User ID; date of birth; e-mail address; telephone number; social security number; mother's maiden name; zip code; place and date of registration for My HealtheVet electronic record access; delegate and grantee user IDs associated with My HealtheVet users; level of access to My HealtheVet electronic services; date and type of transaction; patient integration control number (ICN); and other administrative data needed for My HealtheVet roles and services.
II. Proposed Routine Use Disclosures of Data in the System
We are proposing to establish the following Routine Use disclosures of information maintained in the system:
6. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.
This routine use permits disclosures by the Department to report a suspected incident of identity theft and provide information or documentation related to or in support of the reported incident.
7. VA may, on its own initiative, disclose any information or records to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that the integrity or confidentiality of information in the system of records has been compromised; (2) the Department has determined that as a result of the suspected or confirmed compromise, there is a risk of embarrassment or harm to the reputations of the record subjects, harm to economic or property interests, identity theft or fraud, or harm to the security, confidentiality, or integrity of this system or other systems or programs (whether maintained by the Start Printed Page 70367Department or another agency or disclosure is to agencies, entities, or persons whom VA determines are reasonably necessary to assist or carry out the Department's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. This routine use permits disclosures by the Department to respond to a suspected or confirmed data breach, including the conduct of any risk analysis or provision of credit protection services as provided in 38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727.
8. Disclosure of administrative data including information about My HealtheVet use and user transactions accomplished via the Web site may be provided to approved VA research investigators with VA Institutional Review Board (IRB) approval. Disclosure of this information to research investigators will allow VA to evaluate the value of the My HealtheVet for purposes of system modification and improvement, and for purposes of promoting patient self-management of health and improved health outcomes.
III. Compatibility of the Proposed Routine Uses
The Privacy Act permits VA to disclose information about individuals without their consent for a routine use when the information, in this case administrative information, will be used for a purpose that is compatible with the purpose for which VA collected it. In all of the routine use disclosures described above, either the recipient of the administrative information will use the information in connection with the My HealtheVet program, a matter relating to one of VA's programs to provide a benefit to VA, or to meet legal requirements for disclosure.
The Report of Intent to Amend a System on Records Notice and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of the Office of Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.Start Signature
Approved: November 1, 2010.
John R. Gingrich,
Chief of Staff, Department of Veterans Affairs.
“My HealtheVet Administrative Records—VA”
Veterans Health Administration (VHA) local facilities, VA National Data Centers, and VA Health Data Repository (HDR) located at the VA National Data Centers. Address locations for VA facilities are listed in VA Appendix 1 of the biennial publications of the VA systems of records.
Categories of individuals covered by the system:
Individuals covered encompass: (1) All individuals who successfully register for a My HealtheVet account and whose identity has been verified; (2) Representatives of the above individuals who have been provided grantee or delegate access to My HealtheVet including, but not limited to, family members, friends, or VA and non-VA health care providers; (3) VA health care providers and certain administrative staff; (4) VHA Information Technology (IT) staff and/or their approved contractors who may need to enter identifying, administrative information into the system to initiate, support and maintain electronic services for My HealtheVet participants; and (5) VA researchers fulfilling VA required authorization procedures.
Categories of records in the system:
The records include personally identifiable information, such as an individual's full name; My HealtheVet User Identifier (ID); date of birth; social security number; e-mail address; telephone number; mother's maiden name; ZIP code; place and date of registration for My HealtheVet; delegate and grantee user IDs associated with My HealtheVet accounts; level of access to My HealtheVet electronic services; date and type of transaction; web analytics for the purpose of monitoring site usage, patient internal control number (ICN); and other administrative data needed for My HealtheVet roles and services.
Authority for maintenance of the system:
Title 38, United States Code, § 501.
The information in the My HealtheVet Administrative Records is needed to operate the My HealtheVet program, including but not limited to registration and verification of the Veteran's identity or to register and authenticate those who have legal authority to participate in lieu of the Veteran, to assign and verify administrators of the My HealtheVet portal, to retrieve the Veteran's information to perform specific functions, allow access to specific information and provide other associated My HealtheVet electronic services in current and future applications of the My HealtheVet program. The administrative information may also be used to create administrative business reports for system operators and VA managers who are responsible for ensuring that the My HealtheVet system is meeting performance expectations, and is in compliance with applicable Federal laws and regulations. Administrative information may also be used for evaluation to support program improvement, including VA approved research studies.
Routine uses of records maintained in the system, including categories of users and the purposes of such uses:
To the extent that records contained in the system include information protected by 45 CFR Parts 160 and 164, i.e., individually identifiable health information, and 38 U.S.C. 7332, i.e., medical treatment information related to drug abuse, alcoholism or alcohol abuse, sickle cell anemia or infection with the human immunodeficiency virus, that information cannot be disclosed under a routine use unless there is also specific statutory authority in 38 U.S.C. 7332 and regulatory authority in 45 CFR Parts 160 and 164 permitting disclosure.
1. Disclosure of information in this system of records may be made to private or public sector organizations, individuals, agencies, etc., with whom VA has a contract or agreement, including subcontractors, in order to administer the My HealtheVet program, or perform other such services as VA deems appropriate and practical for the purposes of administering VA laws.
2. VA may disclose on its own initiative any information in the system, except the names and home addresses of Veterans and their dependents, that is relevant to a suspected or reasonably imminent violation of the law whether civil, criminal, or regulatory in nature and whether arising by general or program statute or by regulation, rule, or order issued pursuant thereto, to a Federal, state, local, tribal, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule, or order. VA may also disclose on its own initiative the names and addresses of veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal, or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, or order issued pursuant thereto.Start Printed Page 70368
3. Disclosure may be made to National Archives and Records Administration (NARA) and the General Services Administration (GSA) to support its records management inspections responsibilities and its role as Archivist of the United States under authority of title 44 United States Code (U.S.C).
4. Any information in this system of records may be disclosed to the United States Department of Justice or United States Attorneys in order to prosecute or defend litigation involving or pertaining to the United States, or in which the United States has an interest.
5. Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.
6. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.
7. Disclosure of information may be made when (1) it is suspected or confirmed that the integrity or confidentiality of information in the system of records has been compromised; (2) the Department has determined that as a result of the suspected or confirmed compromise there is a risk of embarrassment or harm to the reputations of the record subjects, harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by the Department or another agency or entity) that rely upon the compromised information; and (3) the disclosure is to agencies, entities, and persons whom VA determines are reasonably necessary to assist or carry out the Department's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. This routine use permits disclosure by the Department to respond to a suspected or confirmed data breach, including the conduct of any risk analysis or confirmed data breach, including the conduct of any risk analysis or provision of credit protection services as provided in 38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727.
8. Disclosure of information may be made to VA to approved researchers to enhance, advance and promote both the function and the content of the My HealtheVet application.
Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system:
These administrative records are maintained on paper and electronic media, including hard drive disks, which are backed up to tape at regular intervals.
Records may be retrieved by an individual's name, user ID, date of registration for My HealtheVet electronic services, zip code, the VA assigned ICN, date of birth and/or social security number, if provided.
1. Access to and use of the My HealtheVet Administrative Records are limited to those persons whose official duties require such access; VA has established security procedures to ensure that access is appropriately limited. Information security officers and system data stewards review and authorize data access requests. VA regulates data access with security software that authenticates My HealtheVet administrative users and requires individually unique codes and passwords. VA provides information security training to all staff and instructs staff on the responsibility each person has for safeguarding data confidentiality. VA regularly updates security standards and procedures that are applied to systems and individuals supporting this program.
2. Physical access to computer rooms housing the My HealtheVet Administrative Records is restricted to authorized staff and protected by a variety of security devices. Unauthorized employees, contractors, and other staff are not allowed in computer rooms. The Federal Protective Service or other security personnel provide physical security for the buildings housing computer systems and data centers.
3. Data transmissions between operational systems and My HealtheVet Administrative Records maintained by this system of records are protected by telecommunications software and hardware as prescribed by VA standards and practices. This includes firewalls, encryption, and other security measures necessary to safeguard data as it travels across the VA-Wide Area Network.
4. Copies of back-up computer files are maintained at secure off-site locations.
Retention and disposal:
Records are maintained and disposed of in accordance with the records disposition authority approved by the Archivist of the United States. Records from this system that are needed for audit purposes will be disposed of 6 years after a user's account becomes inactive. Routine records will be disposed of when the agency determines they are no longer needed for administrative, legal, audit, or other operational purposes. These retention and disposal statements are pursuant to NARA General Records Schedules GRS 20, item 1c and GRS 24, item 6a.
System manager(S) and address:
Official responsible for policies and procedures: Deputy Chief Information Officer for Health (19), Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420. Officials maintaining this system of records: The local VA facility (Address locations for VA facilities are listed in VA Appendix 1 of the biennial publications of the VA systems of records) and the Chief, Technical Infrastructure Division (31), Austin Automation Center, 1615 Woodward Street, Austin, Texas 78772.
Individuals who wish to determine whether a record is being maintained under their name in this system or wish to determine the contents of such records have two options:
1. Submit a written request or apply in person to the VA facility where the records are located. VA facility location information can be found in the Facilities Locator section of VA's Web site at http://www.va.gov; or
2. Submit a written request or apply in person to the Chief of the Technical Infrastructure Division (31), Austin Automation Center, 1615 Woodward Street, Austin, Texas 78772.
Inquiries should include the person's full name, user ID, date of birth and return address.
Record access procedure:
Individuals seeking information regarding access to and contesting of records in this system may write or call their local VA facility and/or the Chief of the Technical Infrastructure Division (31), Austin Automation Center, 1615 Woodward Street, Austin, Texas 78772, or call (512) 326-6780 to reach the VA Austin Automation Center Help Desk speak with the Chief of the Technical Infrastructure Division.
Contesting record procedures:
(See Record Access Procedures above).
Record source categories:
The sources of information for this system of records include the Start Printed Page 70369individuals covered by this notice and an additional contributor, as listed below:
(1) All individuals who successfully register for a My HealtheVet account;
(2) Representatives of the above individuals who have been provided access to the private health space by the Veteran user, including but not limited to, family members, friends, or VA and non-VA health care providers;
(3) VA health care providers;
(4) VHA IT staff and/or their contractors and subcontractors who may need to enter information into the system to initiate, support and maintain My HealtheVet electronic services for My HealtheVet users;
(5) VistA systems and
(6) VA researchers fulfilling VA required authorization procedures (see VHA Handbook 1200.01 http://www1.va.gov/vhapublications/ViewPublication.asp?pub_ID=2038).End Supplemental Information
[FR Doc. 2010-28950 Filed 11-16-10; 8:45 am]
BILLING CODE 8320-01-P