Privacy Act of 1974; System of Records, 13347-13351 [E7-5135]

Download as PDF Federal Register / Vol. 72, No. 54 / Wednesday, March 21, 2007 / Notices Total tire registration hours (manual) ........................... Recordkeeping hours (manual) .................................... Total annual tire registration and recordkeeping hours ................................. 1 Hours. 1 225,000 1 25,000 1 250,000 Authority: 44 U.S.C. 3506(c); delegation of authority at 49 CFR 1.50 Issued on: March 16, 2007. Roger A. Saul, Director, Office of Crashworthiness Standards. [FR Doc. 07–1385 Filed 3–20–07; 8:45 am] BILLING CODE 4910–59–M DEPARTMENT OF THE TREASURY Submission for OMB Review; Comment Request March 15, 2007. The Department of Treasury has submitted the following public information collection requirement(s) to OMB for review and clearance under the Paperwork Reduction Act of 1995, Public Law 104–13. Copies of the submission(s) may be obtained by calling the Treasury Bureau Clearance Officer listed. Comments regarding this information collection should be addressed to the OMB reviewer listed and to the Treasury Department Clearance Officer, Department of the Treasury, Room 11000, 1750 Pennsylvania Avenue, NW., Washington, DC 20220. Dates: Written comments should be received on or before April 20, 2007 to be assured of consideration. jlentini on PROD1PC65 with NOTICES Alcohol and Tobacco Tax and Trade Bureau (TTB) OMB Number: 1513–0091. Type of Review: Extension. Title: Tobacco Products Manufacturers—Notice for Tobacco Products, TTB REC 5210/12 and Records of Operations, TTB REC 5210/ 1. Form: TTB 5210/1, 5210/12. Description: Tobacco products manufacturers maintain a record system showing tobacco and tobacco product receipts, production, and dispositions which support removals subject to tax, transfers in bond, and inventory records. These records are vital to tax enforcement. Respondents: Business and other for profits. Estimated Total Burden Hours: 1 hours. OMB Number: 1513–0108. Type of Review: Extension. VerDate Aug<31>2005 17:08 Mar 20, 2007 Jkt 211001 Title: Recordkeeping for Tobacco Products and Cigarette Papers and Tubes Brought from Puerto Rico to the U.S. 27 CFR 41.105, 41.106, 41.109, 41.110, 41.121. Description: The prescribed records apply to persons who ship tobacco products or cigarette papers or tubes from Puerto Rico to the United States. The records verify that the amount of taxes to be paid and if required, that the bond is sufficient to cover unpaid liabilities. Respondents: Business and other forprofit. Estimated Total Burden Hours: 1 hours. OMB Number: 1513–XXXX. Type of Review: Regular. Title: Permit Application Questions, Amended Permit Application Questions, Claims Questions. Description: Alcohol and Tobacco Tax and Trade Bureau (TTB), in an ongoing effort to improve its Customer Service, intends to survey its customers and keep track of its progress, as well as identify potential needs, problems, and opportunities for improvement. The respondents will be businesses that hold permits with TTB and permit holders that file claims with TTB. There is no cost to respondents other than their time. Respondents: Business and other forprofits. Estimated Total Burden Hours: 625 hours. Clearance Officer: Frank Foote (202) 927–9347, Alcohol and Tobacco Tax and Trade Bureau, Room 200 East, 1310 G. Street, NW., Washington, DC 20005. OMB Reviewer: Alexander T. Hunt (202) 395–7316, Office of Management and Budget, Room 10235, New Executive Office Building, Washington, DC 20503. Michael A. Robinson, Treasury PRA Clearance Officer. [FR Doc. E7–5172 Filed 3–20–07; 8:45 am] BILLING CODE 4810–31–P DEPARTMENT OF VETERANS AFFAIRS Privacy Act of 1974; System of Records AGENCY: Department of Veterans Affairs (VA). Notice of amendment to system of records. ACTION: SUMMARY: As required by the Privacy Act of 1974 (5 U.S.C. 552a(e), notice is hereby given that the Department of Veterans Affairs is amending the system PO 00000 Frm 00112 Fmt 4703 Sfmt 4703 13347 of records currently entitled ‘‘Program Evaluation Research Data Management Records—VA’’ (107VA008B) as set forth in the Federal Register 66 FR 29633–35. VA is amending the system by revising the System Name; System Location; Categories of Individuals Covered by the System; Categories of Records in the System; Purpose(s); Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses; Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System; System Manager and Address(es): Notification Procedures; Record Access Procedure(s); Contesting Records Procedures; and Record Source Categories. VA will be publishing a new system of records notice to cover evaluation of non-health information. VA is republishing the system notice in its entirety. DATES: Comments on the amendment of this system of records must be received no later than April 20, 2007. If no public comment is received, the new system will become effective April 20, 2007. ADDRESSES: Written comments may be submitted through http:// www.Regulations.gov; by mail or handdelivery to the Director, Regulations Management (00REG), Department of Veterans Affairs, 810 Vermont Ave., NW., Room 1068, Washington, DC 20420; or by fax to (202) 273–9026. Copies of comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8 a.m. and 4:30 p.m. Monday through Friday (except holidays). Please call (202) 273–9515 for an appointment. In addition, during the comment period, comments may be viewed online through the Federal Docket Management System. FOR FURTHER INFORMATION CONTACT: Dat Tran, Director, Office of Data Development and Analysis, (008A3), U.S. Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420, (202) 273–6482. SUPPLEMENTARY INFORMATION: I. Description of Proposed Systems of Records While this System of Records has been amended to reflect the current organizational alignment, its number remains 107VA008B. The System Name is changed from ‘‘Program Evaluation Research Data Management Records— VA’’ to ‘‘Health Program Evaluation— VA’’ to more accurately reflect the scope of activity conducted with data from this system of records. E:\FR\FM\21MRN1.SGM 21MRN1 13348 Federal Register / Vol. 72, No. 54 / Wednesday, March 21, 2007 / Notices jlentini on PROD1PC65 with NOTICES This System of Records has been refocused to apply to data gathered from all VA components, including protected health information (PHI) supplied by the Veterans Health Administration (VHA) that is needed to conduct data collection, storage and analyses on behalf of VHA for program evaluations, and analysis including descriptions of the utilization of services, demographic profiles of service or benefit users, utilization projections, forecasting, and trend analyses, and other analyses that characterize patterns of utilization, costs, and future service needs. A more complete description of the duties and activities of Office of Policy and Planning (OPP) are at http:// www1.va.gov/op3/docs/008_org.pdf. OPP receives, maintains and uses VHA PHI under a Business Associate Agreement (BAA) between VHA and OPP. OPP receives, maintains, uses and discloses information from this system of records in accordance with these Rules. VHA periodically reviews the handling of its data to ensure that the requirements of these Rules are met. The Safeguards section has been updated to reflect the additional security requirements and restrictions on the use of health information obtained from the Veterans Health Administration (VHA) in compliance with requirements of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, 45 CFR Parts 160 and 164. The Privacy and Security Rules became effective after the date of initial publication of this system of records. This portion of the amendment documents privacy and security procedures implemented earlier to reflect the requirements of these Rules. The Department has made minor edits to the System Notice for grammar and clarity purposes to reflect plain language, including changes to routine uses. These changes are not, and are not intended to be, substantive, and are not further discussed or enumerated. II. Proposed Amendments to Routine Use Disclosures of Data in the System A statement clarifying that the routine use disclosure statements in this system of records does not provide authority for VA to disclose individually identifiable health information protected by 38 U.S.C. 7332 or the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule has been added. This means VA must have disclosure authority under 38 U.S.C. 7332, HIPAA, or both, where applicable, before disclosure under any routine use for data covered by these provisions. Further, routine uses are amended to VerDate Aug<31>2005 17:08 Mar 20, 2007 Jkt 211001 provide consistency with the standards defined by Department of Health and Human Services under HIPAA. Routine use number 1 clarifies the scope of records that can be disclosed. Routine use number 2 is clarified as to the scope of records that can be disclosed. Routine use number 3 is revised to specify the privacy requirements and information use safeguards as required by OPP when records are shared with other Federal agencies for their use or for OPP information matching needs. Routine use number 4 is revised to specify the privacy requirements and information use safeguards as required by OPP when records are shared with contractors, consultants, and collaborating analysts who have been engaged by the VA. Routine use number 5 specifies that system records may be disclosed to the Office of Management and Budget. Routine use number 6 states that records may be disclosed to ensure data security, and to respond to a suspected compromise of covered data, including efforts to remedy any potential harm from the compromise. Section 5724 of title 38, United States Code, requires such actions. Also, in determining whether to disclose records under this routine use, VA will comply with the guidance promulgated by the Office of Management and Budget in a May 24, 1985, memorandum entitled ‘‘Privacy Act Guidance—Update’’, currently posted at http://www.whitehouse.gov/ omb/inforeg/guidance1985.pdf. Routine use number 7 is clarified as to the scope of records that can be disclosed to the Department of Justice (DoJ). Routine use number 8 is clarified as to the scope of records that can be disclosed for law enforcement purposes. III. Compatibility of the Proposed Routine Uses The Privacy Act permits VA to disclose information about individuals without their consent for a routine use when the information will be used for a purpose that is compatible with the purpose for which we collected the information. In all of the routine use disclosures described above, the recipient of the information will use the information in connection with a matter relating to one of VA’s programs, will use the information to provide a benefit to VA, or disclosure is required by law. The notice of intent to publish and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of the Office of Management and Budget (OMB) as required by 5 PO 00000 Frm 00113 Fmt 4703 Sfmt 4703 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000. Approved: March 6, 2007. Gordon H. Mansfield, Deputy Secretary of Veterans Affairs. 107VA008B SYSTEM NAME: Health Program Evaluation—VA. SYSTEM LOCATION: The system of records is located in office of the Director, Office of Data Development and Analysis, (008A3), U.S. Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420. Records are stored on a secured server computer at the VA Austin Automation Center, 1615 Woodward Street, Austin, Texas 78722. Records not stored at the VA Austin Automation Center are stored on electronic media or laser optical media in a combinationprotected safe which is secured inside a key-accessed room at the U.S. Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC, 20420. Records necessary for a contractor to perform analyses under a contract are located at the respective contractor’s secure facility. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: 1. Veterans who have applied for healthcare services or benefits under Title 38, United States Code. 2. Veterans’ spouse, surviving spouse, previous spouse, children, and parents who have applied for healthcare services or benefits under Title 38, United States Code. 3. Beneficiaries of other Federal agencies or other governmental entities. 4. Individuals examined or treated under contract or resource sharing agreements. 5. Individuals examined or treated for research or donor purposes. 6. Individuals who have applied for Title 38 benefits but who do not meet the requirements under Title 38 to receive such benefits. 7. Individual who were provided medical care under emergency conditions for humanitarian reasons. 8. Pensioned members of allied forces provided healthcare services under Title 38, United States Code. CATEGORIES OF RECORDS IN THE SYSTEM: Records include identification numbers, contact and location information, demographic information, military service descriptions, residency characteristics, economic information, healthcare visit descriptions, patient E:\FR\FM\21MRN1.SGM 21MRN1 Federal Register / Vol. 72, No. 54 / Wednesday, March 21, 2007 / Notices assessments, medical test descriptions and results, diagnoses, disability assessments, treatments, pharmaceutical information, service utilization and associated medical staffing and resource costs, entitlements or benefits, patient survey results, and health status. The records include information created or collected during the course of normal clinical operations work and is provided by patients, employers, students, volunteers, contactors, subcontractors, and consultants. In addition, records also include social security numbers, military service numbers, claim or file numbers, and DoD’s identification numbers. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: 38 U.S.C 527. PURPOSE(S): Health-related qualitative, quantitative, and actuarial analyses and projections to support policy analyses and recommendations to improve VA services for veterans and their families. Analysis and review of policy and longterm planning issues affecting veterans programs to support legislative, regulatory and policy recommendations and initiatives. jlentini on PROD1PC65 with NOTICES ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES: To the extent that records contained in the system include information protected by 45 CFR parts 160 and 164, i.e., individually identifiable health information, 38 U.S.C. 7332, i.e., medical treatment information related to drug abuse, alcoholism or alcohol abuse, sickle cell anemia or infection with the human immunodeficiency virus, or both, that information cannot be disclosed under a routine use unless there is also specific statutory authority in 38 U.S.C. 7332 and regulatory authority in 45 CFR parts 160 and 164 permitting disclosure. 1. Any system records disclosure may be made to a Member of Congress or to a Congressional staff member in response to an inquiry of the Congressional office made at the written request of the constituent about whom the record is maintained. 2. Any system records disclosure may be made to the National Archives and Records Administration as required in records management inspections under title 44 U.S.C. 3. Any system records may be disclosed to a Federal agency for the conduct of research and data analysis to perform a statutory purpose of that Federal agency upon the prior written request of that agency, provided that VerDate Aug<31>2005 17:08 Mar 20, 2007 Jkt 211001 there is legal authority under all applicable confidentiality statutes and regulations to provide the data and OPP has determined prior to the disclosure that OPP data handling requirements are satisfied. OPP may disclose limited individual identification information to another Federal agency for the purpose of matching and acquiring information held by that agency for OPP to use for the purposes stated for this system of records. 4. Any system records may be disclosed to individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to perform such services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor, subcontractor, public or private agency, or other entity or individual with whom VA has an agreement or contract to perform the services of the contract or agreement. This routine use includes disclosures by the individual or entity performing the service for VA to any secondary entity or individual to perform an activity that is necessary for individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to provide the service to VA. 5. Any system records may be disclosed to the Office of Management and Budget in order for them to perform their statutory responsibilities of evaluating Federal programs. 6. Any records may be disclosed to appropriate agencies, entities, and persons under the following circumstances: When (1) it is suspected or confirmed that the security or confidentiality of information in the system of records has been compromised; (2) the Department has determined that as a result of the suspected or confirmed compromise there is a risk of embarrassment or harm to the reputations of the record subjects, harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by the Department or another agency or entity) that rely upon the compromised information; and (3) the disclosure is made to such agencies, entities, and persons who are reasonably necessary to assist in connection with the Department’s efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. 7. VA may disclose information in this system of records to the Department of Justice, either on VA’s initiative or in response to DoJ’s request for the PO 00000 Frm 00114 Fmt 4703 Sfmt 4703 13349 information, after either VA or DoJ determines that such information is relevant to DoJ’s representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that disclosure of the records to the Department of Justice is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. In determining whether to disclose records under this routine use, VA will comply with the guidance promulgated by the Office of Management and Budget in a May 24, 1985, memorandum entitled ‘‘Privacy Act Guidance— Update’’, currently posted at http:// www.whitehouse.gov/omb/inforeg/ guidance1985.pdf. 8. VA may disclose on its own initiative any information in this system, except the names and home addresses of veterans and their dependents, which is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal or regulatory in nature, and whether arising by general or program statute or by regulation, rule or order issued pursuant thereto, to a Federal, State, local, tribal, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule or order. On its own initiative, VA may also disclose the names and addresses of veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto. POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM: STORAGE: VA sensitive information, including individually identifiable health information, is stored on electronic media, laser optical media, on a segregated secure server or in paper form. Data stored on a secure server are located at the Austin Automation Center. Electronic media, or laser E:\FR\FM\21MRN1.SGM 21MRN1 13350 Federal Register / Vol. 72, No. 54 / Wednesday, March 21, 2007 / Notices optical media data are kept locked in a safe when not in immediate use. The safe is secured inside a key-accessed room at OPP. Information stored on paper is kept locked in file cabinets when not in immediate use. Databases are temporarily placed on a secured server inside a restricted network area for data match purposes only. Information that resides on a segregated server is kept behind locked doors with limited access. Requestors of OPP stored health information within VA, or from external individuals, contractors, organizations, and/or agencies with whom VA has a contract or agreement, must provide an equivalent level of security protection and comply with all applicable VA policies and procedures for storage and transmission as codified in VA directives such as but not limited to VA Directive 6504. RETRIEVABILITY: Individually-identified health care information is kept in two forms. The first form is the original data file containing the names and social security numbers of the record subjects. OPP assigns unique codes derived from social security numbers to these individual records prior to conducting analyses on the data. The encryption key for social security numbers and other numerical identifiers of the individuals is stored in a safe in OPP. The original records may be retrieved using social security numbers, military service number, claim or file number, DoD’s identification numbers, or other personal numerical identifiers. The records containing the encrypted identifiers may be retrieved only by those identifiers. jlentini on PROD1PC65 with NOTICES SAFEGUARDS: This list of safeguards furnished in this System of Record is a general statement of measures taken to protect health information. For example, HIPAA guidelines for protecting health information will be followed and OPP will adopt evolving health care industry best practices in order to provide adequate safeguards. Further, VA policy directives that specify the standards that will be applied to protect health information will be provided to VA staff and contractors through mandatory data privacy and security training. Access to data storage areas is restricted to authorized VA employee or contract staff who have been cleared to work by the VA Office of Security and Law Enforcement. Health information file areas are locked after normal duty hours. VA facilities are protected from outside access by the Federal Protective Service and/or other security personnel. VerDate Aug<31>2005 17:08 Mar 20, 2007 Jkt 211001 Access to health information provided by the Veterans Health Administration (VHA) pursuant to a Business Associate Agreement (BAA) is restricted to those OPP employees and contractors who have a need for the information in the performance of their official duties related to the terms of the BAA. As a general rule, full sets of health care information are not provided for use unless authorized by the OPP Assistant Secretary. File extracts provided for specific official uses will be limited to the minimum necessary amount and contain only the information fields needed for the analysis. Data used for analyses will have individual identifying characteristics removed whenever possible. Security complies with applicable Federal Information Processing Standards (FIPS) issued by the National Institute of Standards and Technology (NIST). Health information files containing unique identifiers such as social security numbers are encrypted to NIST-verified FIPS 140–2 standard or higher for storage, transport, or transmission. All files stored or transmitted on laptops, workstations, data storage devices and media are encrypted. Files are kept encrypted at all times except when data is in immediate use, per specifications by VA Office of Information Technology. NIST publications were consulted in development of security for this system of records. Contractors and their subcontractors are required to maintain the same level of security as VA staff for health care information that has been disclosed to them. Any data disclosed to a contractor or subcontractor to perform authorized analyses requires the use of Data Use Agreements, Non-Disclosure Statements and Business Associates Agreements to protect health information. Unless explicitly authorized in writing by the VA, sensitive or protected data made available to the contractor and subcontractors shall not be divulged or made known in any manner to any other person. Other federal or state agencies requesting health care information need to execute Data Use Agreements to protect data. OPP’s work area is accessed for business-only needs. For data that is not stored on a secure server, the data is stored in a combination-protected safe which is secured inside a limited access room. Direct access to the safe is controlled by select individuals who possess background security clearances. Only a few employees with strict business needs or ‘‘need-to-know’’ access and completed background checks will ever handle the data once it PO 00000 Frm 00115 Fmt 4703 Sfmt 4703 is removed from the safe for data match purposes. RETENTION AND DISPOSAL: Records are maintained and disposed of in accordance with records disposition authority approved by the Archivist of the United States. If the Archivist has not approved disposition authority for any records covered by the system notice, the System Manager will take immediate action to have the disposition of records in the system reviewed and paperwork initiated to obtain an approved records disposition authority in accordance with VA Handbook 6300.1, Records Management Procedures. OPP will publish an amendment to this notice upon issuance of NARA-approved disposition authority. The records may not be destroyed until VA obtains an approved records disposition authority. OPP destroys electronic files when no longer needed for administrative, legal, audit, or other operational purposes. In accordance with title 36 CFR 1234.34, Destruction of Electronic Records, ‘‘electronic records may be destroyed only in accordance with a records disposition schedule approved by the Archivist of the United States, including General Records Schedules.’’ SYSTEM MANAGER(S) AND ADDRESS(ES): Director, Office of Data Development and Analysis, (008A3), U.S. Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420. NOTIFICATION PROCEDURE: An individual who wishes to determine whether a record is being maintained in this system under his or her name or other personal identifier, or wants to determine the contents of such record, should submit a written request to the Director, Office of Data Development and Analysis, (008A3), U.S. Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420. Such requests must contain a reasonable description of the records requested. All inquiries must reasonably identify the health care information involved and the approximate date that medical care was provided. Inquiries should include the patient’s full name, social security number, telephone number and return address. RECORD ACCESS PROCEDURES: Individuals seeking information regarding access to and contesting of VA health information maintained by the Office of Policy and Planning may send a request by mail to the Director, Data Development and Analysis Service, (008A3), Department of Veterans E:\FR\FM\21MRN1.SGM 21MRN1 Federal Register / Vol. 72, No. 54 / Wednesday, March 21, 2007 / Notices Affairs, 810 Vermont Ave., Washington, DC 20420 CONTESTING RECORDS PROCEDURES: jlentini on PROD1PC65 with NOTICES (See Notification procedure above.) VerDate Aug<31>2005 17:08 Mar 20, 2007 Jkt 211001 RECORD SOURCE CATEGORIES: Information is obtained from VHA and other VA staff offices and Administrations, OPP’s National Survey of Veterans, national surveys (e.g., National Long Term Care Survey, National Health Interview Survey), PO 00000 Frm 00116 Fmt 4703 Sfmt 4703 13351 Federal agencies (e.g., Department of Defense, Department of Health and Human Services), state agencies, and other private and public health provider or insurance programs and plans. [FR Doc. E7–5135 Filed 3–20–07; 8:45 am] BILLING CODE 8320–01–P E:\FR\FM\21MRN1.SGM 21MRN1

Agencies

[Federal Register Volume 72, Number 54 (Wednesday, March 21, 2007)]
[Notices]
[Pages 13347-13351]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E7-5135]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of amendment to system of records.

-----------------------------------------------------------------------

SUMMARY: As required by the Privacy Act of 1974 (5 U.S.C. 552a(e), 
notice is hereby given that the Department of Veterans Affairs is 
amending the system of records currently entitled ``Program Evaluation 
Research Data Management Records--VA'' (107VA008B) as set forth in the 
Federal Register 66 FR 29633-35. VA is amending the system by revising 
the System Name; System Location; Categories of Individuals Covered by 
the System; Categories of Records in the System; Purpose(s); Routine 
Uses of Records Maintained in the System, Including Categories of Users 
and the Purposes of Such Uses; Policies and Practices for Storing, 
Retrieving, Accessing, Retaining, and Disposing of Records in the 
System; System Manager and Address(es): Notification Procedures; Record 
Access Procedure(s); Contesting Records Procedures; and Record Source 
Categories. VA will be publishing a new system of records notice to 
cover evaluation of non-health information. VA is republishing the 
system notice in its entirety.

DATES: Comments on the amendment of this system of records must be 
received no later than April 20, 2007. If no public comment is 
received, the new system will become effective April 20, 2007.

ADDRESSES: Written comments may be submitted through http://
www.Regulations.gov; by mail or hand-delivery to the Director, 
Regulations Management (00REG), Department of Veterans Affairs, 810 
Vermont Ave., NW., Room 1068, Washington, DC 20420; or by fax to (202) 
273-9026. Copies of comments received will be available for public 
inspection in the Office of Regulation Policy and Management, Room 
1063B, between the hours of 8 a.m. and 4:30 p.m. Monday through Friday 
(except holidays). Please call (202) 273-9515 for an appointment. In 
addition, during the comment period, comments may be viewed online 
through the Federal Docket Management System.

FOR FURTHER INFORMATION CONTACT: Dat Tran, Director, Office of Data 
Development and Analysis, (008A3), U.S. Department of Veterans Affairs, 
810 Vermont Avenue, NW., Washington, DC 20420, (202) 273-6482.

SUPPLEMENTARY INFORMATION:

I. Description of Proposed Systems of Records

    While this System of Records has been amended to reflect the 
current organizational alignment, its number remains 107VA008B. The 
System Name is changed from ``Program Evaluation Research Data 
Management Records--VA'' to ``Health Program Evaluation--VA'' to more 
accurately reflect the scope of activity conducted with data from this 
system of records.

[[Page 13348]]

    This System of Records has been refocused to apply to data gathered 
from all VA components, including protected health information (PHI) 
supplied by the Veterans Health Administration (VHA) that is needed to 
conduct data collection, storage and analyses on behalf of VHA for 
program evaluations, and analysis including descriptions of the 
utilization of services, demographic profiles of service or benefit 
users, utilization projections, forecasting, and trend analyses, and 
other analyses that characterize patterns of utilization, costs, and 
future service needs. A more complete description of the duties and 
activities of Office of Policy and Planning (OPP) are at http://
www1.va.gov/op3/docs/008_org.pdf. OPP receives, maintains and uses VHA 
PHI under a Business Associate Agreement (BAA) between VHA and OPP. OPP 
receives, maintains, uses and discloses information from this system of 
records in accordance with these Rules. VHA periodically reviews the 
handling of its data to ensure that the requirements of these Rules are 
met.
    The Safeguards section has been updated to reflect the additional 
security requirements and restrictions on the use of health information 
obtained from the Veterans Health Administration (VHA) in compliance 
with requirements of the Health Insurance Portability and 
Accountability Act (HIPAA) Privacy and Security Rules, 45 CFR Parts 160 
and 164. The Privacy and Security Rules became effective after the date 
of initial publication of this system of records. This portion of the 
amendment documents privacy and security procedures implemented earlier 
to reflect the requirements of these Rules.
    The Department has made minor edits to the System Notice for 
grammar and clarity purposes to reflect plain language, including 
changes to routine uses. These changes are not, and are not intended to 
be, substantive, and are not further discussed or enumerated.

II. Proposed Amendments to Routine Use Disclosures of Data in the 
System

    A statement clarifying that the routine use disclosure statements 
in this system of records does not provide authority for VA to disclose 
individually identifiable health information protected by 38 U.S.C. 
7332 or the Health Insurance Portability and Accountability Act (HIPAA) 
Privacy Rule has been added. This means VA must have disclosure 
authority under 38 U.S.C. 7332, HIPAA, or both, where applicable, 
before disclosure under any routine use for data covered by these 
provisions. Further, routine uses are amended to provide consistency 
with the standards defined by Department of Health and Human Services 
under HIPAA.
    Routine use number 1 clarifies the scope of records that can be 
disclosed.
    Routine use number 2 is clarified as to the scope of records that 
can be disclosed.
    Routine use number 3 is revised to specify the privacy requirements 
and information use safeguards as required by OPP when records are 
shared with other Federal agencies for their use or for OPP information 
matching needs.
    Routine use number 4 is revised to specify the privacy requirements 
and information use safeguards as required by OPP when records are 
shared with contractors, consultants, and collaborating analysts who 
have been engaged by the VA.
    Routine use number 5 specifies that system records may be disclosed 
to the Office of Management and Budget.
    Routine use number 6 states that records may be disclosed to ensure 
data security, and to respond to a suspected compromise of covered 
data, including efforts to remedy any potential harm from the 
compromise. Section 5724 of title 38, United States Code, requires such 
actions. Also, in determining whether to disclose records under this 
routine use, VA will comply with the guidance promulgated by the Office 
of Management and Budget in a May 24, 1985, memorandum entitled 
``Privacy Act Guidance--Update'', currently posted at http://
www.whitehouse.gov/omb/inforeg/guidance1985.pdf.
    Routine use number 7 is clarified as to the scope of records that 
can be disclosed to the Department of Justice (DoJ).
    Routine use number 8 is clarified as to the scope of records that 
can be disclosed for law enforcement purposes.

III. Compatibility of the Proposed Routine Uses

    The Privacy Act permits VA to disclose information about 
individuals without their consent for a routine use when the 
information will be used for a purpose that is compatible with the 
purpose for which we collected the information. In all of the routine 
use disclosures described above, the recipient of the information will 
use the information in connection with a matter relating to one of VA's 
programs, will use the information to provide a benefit to VA, or 
disclosure is required by law.
    The notice of intent to publish and an advance copy of the system 
notice have been sent to the appropriate Congressional committees and 
to the Director of the Office of Management and Budget (OMB) as 
required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB 
(65 FR 77677), December 12, 2000.

    Approved: March 6, 2007.
Gordon H. Mansfield,
Deputy Secretary of Veterans Affairs.
107VA008B

System Name:
    Health Program Evaluation--VA.

System Location:
    The system of records is located in office of the Director, Office 
of Data Development and Analysis, (008A3), U.S. Department of Veterans 
Affairs, 810 Vermont Avenue, NW., Washington, DC 20420. Records are 
stored on a secured server computer at the VA Austin Automation Center, 
1615 Woodward Street, Austin, Texas 78722. Records not stored at the VA 
Austin Automation Center are stored on electronic media or laser 
optical media in a combination-protected safe which is secured inside a 
key-accessed room at the U.S. Department of Veterans Affairs, 810 
Vermont Avenue, NW., Washington, DC, 20420. Records necessary for a 
contractor to perform analyses under a contract are located at the 
respective contractor's secure facility.

Categories of Individuals Covered by the System:
    1. Veterans who have applied for healthcare services or benefits 
under Title 38, United States Code.
    2. Veterans' spouse, surviving spouse, previous spouse, children, 
and parents who have applied for healthcare services or benefits under 
Title 38, United States Code.
    3. Beneficiaries of other Federal agencies or other governmental 
entities.
    4. Individuals examined or treated under contract or resource 
sharing agreements.
    5. Individuals examined or treated for research or donor purposes.
    6. Individuals who have applied for Title 38 benefits but who do 
not meet the requirements under Title 38 to receive such benefits.
    7. Individual who were provided medical care under emergency 
conditions for humanitarian reasons.
    8. Pensioned members of allied forces provided healthcare services 
under Title 38, United States Code.

Categories of Records in the System:
    Records include identification numbers, contact and location 
information, demographic information, military service descriptions, 
residency characteristics, economic information, healthcare visit 
descriptions, patient

[[Page 13349]]

assessments, medical test descriptions and results, diagnoses, 
disability assessments, treatments, pharmaceutical information, service 
utilization and associated medical staffing and resource costs, 
entitlements or benefits, patient survey results, and health status. 
The records include information created or collected during the course 
of normal clinical operations work and is provided by patients, 
employers, students, volunteers, contactors, subcontractors, and 
consultants. In addition, records also include social security numbers, 
military service numbers, claim or file numbers, and DoD's 
identification numbers.

Authority for Maintenance of the System:
    38 U.S.C 527.

Purpose(s):
    Health-related qualitative, quantitative, and actuarial analyses 
and projections to support policy analyses and recommendations to 
improve VA services for veterans and their families. Analysis and 
review of policy and long-term planning issues affecting veterans 
programs to support legislative, regulatory and policy recommendations 
and initiatives.

Routine Uses of Records Maintained in the System, Including Categories 
of Users and the Purposes of Such Uses:
    To the extent that records contained in the system include 
information protected by 45 CFR parts 160 and 164, i.e., individually 
identifiable health information, 38 U.S.C. 7332, i.e., medical 
treatment information related to drug abuse, alcoholism or alcohol 
abuse, sickle cell anemia or infection with the human immunodeficiency 
virus, or both, that information cannot be disclosed under a routine 
use unless there is also specific statutory authority in 38 U.S.C. 7332 
and regulatory authority in 45 CFR parts 160 and 164 permitting 
disclosure.
    1. Any system records disclosure may be made to a Member of 
Congress or to a Congressional staff member in response to an inquiry 
of the Congressional office made at the written request of the 
constituent about whom the record is maintained.
    2. Any system records disclosure may be made to the National 
Archives and Records Administration as required in records management 
inspections under title 44 U.S.C.
    3. Any system records may be disclosed to a Federal agency for the 
conduct of research and data analysis to perform a statutory purpose of 
that Federal agency upon the prior written request of that agency, 
provided that there is legal authority under all applicable 
confidentiality statutes and regulations to provide the data and OPP 
has determined prior to the disclosure that OPP data handling 
requirements are satisfied. OPP may disclose limited individual 
identification information to another Federal agency for the purpose of 
matching and acquiring information held by that agency for OPP to use 
for the purposes stated for this system of records.
    4. Any system records may be disclosed to individuals, 
organizations, private or public agencies, or other entities or 
individuals with whom VA has a contract or agreement to perform such 
services as VA may deem practicable for the purposes of laws 
administered by VA, in order for the contractor, subcontractor, public 
or private agency, or other entity or individual with whom VA has an 
agreement or contract to perform the services of the contract or 
agreement. This routine use includes disclosures by the individual or 
entity performing the service for VA to any secondary entity or 
individual to perform an activity that is necessary for individuals, 
organizations, private or public agencies, or other entities or 
individuals with whom VA has a contract or agreement to provide the 
service to VA.
    5. Any system records may be disclosed to the Office of Management 
and Budget in order for them to perform their statutory 
responsibilities of evaluating Federal programs.
    6. Any records may be disclosed to appropriate agencies, entities, 
and persons under the following circumstances: When (1) it is suspected 
or confirmed that the security or confidentiality of information in the 
system of records has been compromised; (2) the Department has 
determined that as a result of the suspected or confirmed compromise 
there is a risk of embarrassment or harm to the reputations of the 
record subjects, harm to economic or property interests, identity theft 
or fraud, or harm to the security or integrity of this system or other 
systems or programs (whether maintained by the Department or another 
agency or entity) that rely upon the compromised information; and (3) 
the disclosure is made to such agencies, entities, and persons who are 
reasonably necessary to assist in connection with the Department's 
efforts to respond to the suspected or confirmed compromise and 
prevent, minimize, or remedy such harm.
    7. VA may disclose information in this system of records to the 
Department of Justice, either on VA's initiative or in response to 
DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that disclosure of the records to the 
Department of Justice is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records. VA, on its own initiative, may disclose records in this system 
of records in legal proceedings before a court or administrative body 
after determining that the disclosure of the records to the court or 
administrative body is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records.
    In determining whether to disclose records under this routine use, 
VA will comply with the guidance promulgated by the Office of 
Management and Budget in a May 24, 1985, memorandum entitled ``Privacy 
Act Guidance--Update'', currently posted at http://www.whitehouse.gov/
omb/inforeg/guidance1985.pdf.
    8. VA may disclose on its own initiative any information in this 
system, except the names and home addresses of veterans and their 
dependents, which is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal or regulatory in nature, and 
whether arising by general or program statute or by regulation, rule or 
order issued pursuant thereto, to a Federal, State, local, tribal, or 
foreign agency charged with the responsibility of investigating or 
prosecuting such violation, or charged with enforcing or implementing 
the statute, regulation, rule or order. On its own initiative, VA may 
also disclose the names and addresses of veterans and their dependents 
to a Federal agency charged with the responsibility of investigating or 
prosecuting civil, criminal or regulatory violations of law, or charged 
with enforcing or implementing the statute, regulation, rule or order 
issued pursuant thereto.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, 
and Disposing of Records in the System:
Storage:
    VA sensitive information, including individually identifiable 
health information, is stored on electronic media, laser optical media, 
on a segregated secure server or in paper form. Data stored on a secure 
server are located at the Austin Automation Center. Electronic media, 
or laser

[[Page 13350]]

optical media data are kept locked in a safe when not in immediate use. 
The safe is secured inside a key-accessed room at OPP. Information 
stored on paper is kept locked in file cabinets when not in immediate 
use. Databases are temporarily placed on a secured server inside a 
restricted network area for data match purposes only. Information that 
resides on a segregated server is kept behind locked doors with limited 
access. Requestors of OPP stored health information within VA, or from 
external individuals, contractors, organizations, and/or agencies with 
whom VA has a contract or agreement, must provide an equivalent level 
of security protection and comply with all applicable VA policies and 
procedures for storage and transmission as codified in VA directives 
such as but not limited to VA Directive 6504.

Retrievability:
    Individually-identified health care information is kept in two 
forms. The first form is the original data file containing the names 
and social security numbers of the record subjects. OPP assigns unique 
codes derived from social security numbers to these individual records 
prior to conducting analyses on the data. The encryption key for social 
security numbers and other numerical identifiers of the individuals is 
stored in a safe in OPP. The original records may be retrieved using 
social security numbers, military service number, claim or file number, 
DoD's identification numbers, or other personal numerical identifiers. 
The records containing the encrypted identifiers may be retrieved only 
by those identifiers.

Safeguards:
    This list of safeguards furnished in this System of Record is a 
general statement of measures taken to protect health information. For 
example, HIPAA guidelines for protecting health information will be 
followed and OPP will adopt evolving health care industry best 
practices in order to provide adequate safeguards. Further, VA policy 
directives that specify the standards that will be applied to protect 
health information will be provided to VA staff and contractors through 
mandatory data privacy and security training.
    Access to data storage areas is restricted to authorized VA 
employee or contract staff who have been cleared to work by the VA 
Office of Security and Law Enforcement. Health information file areas 
are locked after normal duty hours. VA facilities are protected from 
outside access by the Federal Protective Service and/or other security 
personnel.
    Access to health information provided by the Veterans Health 
Administration (VHA) pursuant to a Business Associate Agreement (BAA) 
is restricted to those OPP employees and contractors who have a need 
for the information in the performance of their official duties related 
to the terms of the BAA. As a general rule, full sets of health care 
information are not provided for use unless authorized by the OPP 
Assistant Secretary. File extracts provided for specific official uses 
will be limited to the minimum necessary amount and contain only the 
information fields needed for the analysis. Data used for analyses will 
have individual identifying characteristics removed whenever possible.
    Security complies with applicable Federal Information Processing 
Standards (FIPS) issued by the National Institute of Standards and 
Technology (NIST). Health information files containing unique 
identifiers such as social security numbers are encrypted to NIST-
verified FIPS 140-2 standard or higher for storage, transport, or 
transmission. All files stored or transmitted on laptops, workstations, 
data storage devices and media are encrypted. Files are kept encrypted 
at all times except when data is in immediate use, per specifications 
by VA Office of Information Technology. NIST publications were 
consulted in development of security for this system of records.
    Contractors and their subcontractors are required to maintain the 
same level of security as VA staff for health care information that has 
been disclosed to them. Any data disclosed to a contractor or 
subcontractor to perform authorized analyses requires the use of Data 
Use Agreements, Non-Disclosure Statements and Business Associates 
Agreements to protect health information. Unless explicitly authorized 
in writing by the VA, sensitive or protected data made available to the 
contractor and subcontractors shall not be divulged or made known in 
any manner to any other person. Other federal or state agencies 
requesting health care information need to execute Data Use Agreements 
to protect data.
    OPP's work area is accessed for business-only needs. For data that 
is not stored on a secure server, the data is stored in a combination-
protected safe which is secured inside a limited access room. Direct 
access to the safe is controlled by select individuals who possess 
background security clearances. Only a few employees with strict 
business needs or ``need-to-know'' access and completed background 
checks will ever handle the data once it is removed from the safe for 
data match purposes.

Retention and Disposal:
    Records are maintained and disposed of in accordance with records 
disposition authority approved by the Archivist of the United States. 
If the Archivist has not approved disposition authority for any records 
covered by the system notice, the System Manager will take immediate 
action to have the disposition of records in the system reviewed and 
paperwork initiated to obtain an approved records disposition authority 
in accordance with VA Handbook 6300.1, Records Management Procedures. 
OPP will publish an amendment to this notice upon issuance of NARA-
approved disposition authority. The records may not be destroyed until 
VA obtains an approved records disposition authority. OPP destroys 
electronic files when no longer needed for administrative, legal, 
audit, or other operational purposes. In accordance with title 36 CFR 
1234.34, Destruction of Electronic Records, ``electronic records may be 
destroyed only in accordance with a records disposition schedule 
approved by the Archivist of the United States, including General 
Records Schedules.''

System Manager(s) and Address(es):
    Director, Office of Data Development and Analysis, (008A3), U.S. 
Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 
20420.

Notification Procedure:
    An individual who wishes to determine whether a record is being 
maintained in this system under his or her name or other personal 
identifier, or wants to determine the contents of such record, should 
submit a written request to the Director, Office of Data Development 
and Analysis, (008A3), U.S. Department of Veterans Affairs, 810 Vermont 
Avenue, NW., Washington, DC 20420. Such requests must contain a 
reasonable description of the records requested. All inquiries must 
reasonably identify the health care information involved and the 
approximate date that medical care was provided. Inquiries should 
include the patient's full name, social security number, telephone 
number and return address.

Record Access Procedures:
    Individuals seeking information regarding access to and contesting 
of VA health information maintained by the Office of Policy and 
Planning may send a request by mail to the Director, Data Development 
and Analysis Service, (008A3), Department of Veterans

[[Page 13351]]

Affairs, 810 Vermont Ave., Washington, DC 20420

Contesting Records Procedures:
    (See Notification procedure above.)

Record Source Categories:
    Information is obtained from VHA and other VA staff offices and 
Administrations, OPP's National Survey of Veterans, national surveys 
(e.g., National Long Term Care Survey, National Health Interview 
Survey), Federal agencies (e.g., Department of Defense, Department of 
Health and Human Services), state agencies, and other private and 
public health provider or insurance programs and plans.

 [FR Doc. E7-5135 Filed 3-20-07; 8:45 am]
BILLING CODE 8320-01-P