Privacy Act of 1974; System of Records, 17229-17233 [E7-6233]

Agencies

• DEPARTMENT OF VETERANS AFFAIRS

[Federal Register Volume 72, Number 66 (Friday, April 6, 2007)]
[Notices]
[Pages 17229-17233]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E7-6233]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of amendment to system of records.

-----------------------------------------------------------------------

SUMMARY: As required by the Privacy Act of 1974 (5 U.S.C. 552a(e) 
notice is hereby given that the Department of Veterans Affairs is 
amending the system of records currently entitled ``Veterans, 
Dependents of Veterans, and VA Beneficiary Survey Records (43VA008)'' 
as set forth in the Federal Register 65 FR 61022-61025. VA is amending 
the system by revising the System Name, Categories of Individuals on 
Whom Records are Maintained in the System; Categories of Records in the 
System; Authority for Maintenance of the System, Routine Uses of 
Records Maintained in the System, including Categories of Users and the 
Purpose of Such Uses, the Policies and Practices for Storing, 
Retrieving, Accessing, Retaining, and Disposing of Records in the 
System; System Manager(s); and Record Source Categories. VA is 
publishing the system notice in its entirety.

DATES: Comments on this new system of records must be received no later 
than May 7, 2007. If no public comment is received, the new system of 
records will become effective May 7, 2007.

[[Page 17230]]


ADDRESSES: Written comments may be submitted through 
www.Regulations.gov; by mail or hand-delivery to the Director, 
Regulations Management (00REG), Department of Veterans Affairs, 810 
Vermont Ave., NW., Room 1068, Washington, DC 20420; or by fax to (202) 
273-9026. Copies of comments received will be available for public 
inspection in the Office of Regulation Policy and Management, Room 
1063B, between the hours of 8 a.m. and 4:30 p.m. Monday through Friday 
(except holidays) by May 7, 2007. Please call (202) 273-9515 for an 
appointment. In addition, during the comment period, comments may be 
viewed online through the Federal Docket Management System.

FOR FURTHER INFORMATION CONTACT: Christine Elnitsky, Senior Policy 
Analyst, Policy Analysis Service, (008A1), U.S. Department of Veterans 
Affairs, 810 Vermont Avenue, NW., Washington, DC 20420, (202) 273-9179.

SUPPLEMENTARY INFORMATION:

I. Description of Proposed System of Records

    The system name is changed from ``Veterans, Dependents of Veterans, 
and VA Beneficiary Survey Records-VA'' to ``Veterans, Service Members, 
Family Members, and VA Beneficiary Survey Records'' to be consistent 
with Congress' intent (as reflected in Pub. L. 108-454, sections 211 
and 805) that VA also include service members and families of service 
members in surveys conducted by VA. The term ``Service Members'' 
includes active duty Armed Forces and members of the National Guard and 
Reserve Force, regardless of whether they are on active duty.
    The category entitled ``Categories of individuals on whom records 
are maintained in the system'' is amended to more accurately reflect 
the population from which VA may conduct surveys, to include service 
members and families of service members. VA beneficiaries, such as a 
spouse from a previous marriage, have and continue to be an included 
category of individuals.
    The records covered by the heading entitled ``Categories of records 
maintained in the system'' are clarified by providing more details 
concerning the records contained in some of the categories of records 
described in the current system of records notice. VA is not adding any 
new categories of records maintained.
    VA is amending the authority for maintenance of records in this 
system to more precisely state that authority and to include statutory 
authority enacted since the last publication of this system notice. 
Previously, VA cited all of Public Law 103-62 as authority to maintain 
these records when only the portion codified at 5 U.S.C. section 306 is 
applicable. The reference to planning in the current and proposed 
Purposes for this system of records includes (and included) use in VA 
strategic planning under section 306. VA also is adding sections 211 
and 805 of Public Law 108-454 as authority for maintenance of the 
records in this system of records.
    VA is amending the Policies and Practices for Storing, Retrieving 
Accessing, Retaining and Disposing of Records in the System as follows. 
VA is amending the ``Retrievability'' and ``Safeguards'' paragraphs to 
reflect requirements for protecting the confidentiality of protected 
health information obtained from the Veterans Health Administration 
(VHA) in compliance with requirements of the Health Insurance 
Portability and Accountability Act (HIPAA) Privacy and Security Rules. 
The amendments to the ``Safeguards'' paragraph also more fully describe 
security procedures for protecting the records, as well as procedures 
adopted since the last publication. VA is amending the retention and 
disposal paragraph to more fully describe the statutory requirement.
    VA is amending the system manager paragraph to reflect the change 
in the agency official responsible for maintaining the system of 
records.
    The Department has made minor edits to the System Notice to use 
plain language, and for grammar and clarity purposes, including changes 
to routine uses. These changes are not, and are not intended to be, 
substantive, and consequently, are not further discussed or enumerated.

II. Proposed Amendments to Routine Use Disclosures of Data in the 
System

    The Agency is adding a preliminary statement before the routine 
uses clarifying that the routine use disclosure statements in this 
system of records do not provide authority for VA to disclose 
individually-identifiable health information protected by 38 U.S.C. 
7332, the HIPAA Privacy Rule. This means you must have disclosure 
authority under 38 U.S.C. 7332, HIPAA, or both, where applicable, 
before disclosure under any routine use for data covered by these 
provisions. Further, routine uses are amended to provide consistency 
with the standards defined by Department of Health and Human Services 
(HHS) under HIPAA.
    Routine use number 1 and 2 are subsumed in the new routine use 
number 4. The combined routine use permits all disclosures previously 
authorized under the two previous routine uses.
    Routine use number 3 is renumbered as routine use number 1 and is 
clarified as to the scope of records that can be disclosed.
    Routine use number 4 is renumbered as routine use number 2 and is 
amended to clarify the persons who may receive records under this 
routine use. VA retains ownership of all individually-identifiable 
records provided under this routine use or created by the recipient 
pursuant to the agreement underlying this routine use. Recipients of 
records under this routine use shall be required to comply with the 
Privacy Act of 1974, as amended, pursuant to 5 U.S.C. 552a(m). OPP will 
ensure the appropriateness of disclosure of health information to 
contractors. Safeguards are to be provided in the underlying contract 
or agreement prohibiting the contractor from using or disclosing the 
information for any purpose other than that described in the contract 
or agreement.
    Routine use number 3 is a new routine use. The routine use states 
when OPP, on its own initiative, may disclose individually-identifiable 
information to law enforcement entities for investigations.
    Routine use number 4 is a new routine use. It provides authority 
for VA to provide information to other Federal agencies for statutorily 
permitted or required research and analyses. The routine use also 
permits VA to disclose limited individually-identified information to 
another Federal agency where that agency needs the information in order 
to locate, identify and provide information to OPP for OPP's purposes 
provided in this system of records notice. For example, this disclosure 
would include use in statistical studies such as describing VA's role 
in total benefit coverage and forecasting future demand for VA benefits 
or services or to receive summary business data to study the growth of 
veteran-owned businesses by area and industry. The privacy requirements 
and information use safeguards as required by OPP when records are 
shared with other Federal agencies for their use or for OPP information 
matching needs are specified.
    Routine use number 5 is a new routine use. The routine use provides 
that VA may disclose individually-identifiable information about a 
constituent of a Member of Congress to that Member or his or her staff 
when the Member is acting on behalf of the constituent at the 
constituent's request.

[[Page 17231]]

    Routine use number 6 is a new routine use that states when the 
Department may disclose records to the Department of Justice or may 
itself disclose records in litigation involving the United States. In 
determining whether to disclose records under this routine use, VA will 
comply with the guidance promulgated by the Office of Management and 
Budget in a May 24, 1985, memorandum entitled ``Privacy Act Guidance--
Update'', currently posted at https://www.whitehouse.gov/omb/inforeg/
guidance1985.pdf.
    Routine use number 7 is a new routine use that states the 
circumstances, and to whom, VA may disclose records in order to respond 
to, and minimize possible harm to individuals as a result of a data 
breach. This routine use is promulgated in order to meet VA's duties 
under 38 U.S.C. 5724 and the Privacy Act.

III. Compatibility of the Proposed Routine Uses

    The Privacy act permits VA to disclose information about 
individuals without their authorization for routine uses when the 
information will be used for purposes that are compatible with the 
purposes for which VA collected the information. In all the routine use 
disclosures described above, either the recipient of the information 
will use the information in connection with a matter relating to one of 
VA's programs, will use the information to provide a benefit to VA, or 
disclosure is required by law.
    The notice of intent to publish and an advance copy of the system 
notice have been sent to the appropriate Congressional committees and 
to the Director of the Office of Management and Budget (OMBN) as 
required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB 
(65 FR 77677), December 12, 2000.

    Approved: March 22, 2007.
Gordon H. Mansfield,
Deputy Secretary of Veterans Affairs.
43VA008

SYSTEM NAME:
    Veterans, Service Members, Family Members, and VA Beneficiary 
Survey Records.

SYSTEM LOCATION:
    Computerized records will be maintained at the following computer 
site locations: VA Austin Automation Center, 1615 Woodward Street, 
Austin, Texas 78722; VA Central Office, 810 Vermont Avenue, NW., 
Washington, DC 20420; or with private contractors acting as agents of 
the VA. Paper records are stored at the Washington National Records 
Center (WNRC) or with private contractors acting as agents of the VA.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    (1) Veterans,
    (2) Family members of veterans,
    (3) Military service members,
    (4) Family members of service members, and
    (5) Other VA beneficiaries.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The categories of records in the system may include:
    1. Personal identifiers (e.g., respondents' names, addresses, phone 
numbers, social security numbers, employer identification numbers);
    2. Demographic and socioeconomic characteristics (e.g., date of 
birth, sex, race/ethnicity, education, marital status, employment and 
earnings, financial information, business ownership information);
    3. Military service information (e.g., military occupational 
specialties, periods of active duty, branch of service including 
National Guard or Reserves, date of separation, rank);
    4. Health status information (e.g., diagnostic, health care 
utilization, cost, and third-party health plan information);
    5. Benefit and service information (e.g., data on transition 
assistance services, VA medical and other benefit eligibility, 
awareness, knowledge, understanding, and use; data on access and 
barriers to VA benefits or services; data about satisfaction with VA 
outreach, benefits, or services);
    6. The records may also include information about DoD military 
personnel from DoD files (e.g., utilization files that contain 
inpatient and outpatient medical records, and eligibility files from 
the Defense Eligibility Enrollment Reporting System (DEERS));
    7. The records may include information on Medicare beneficiaries 
from Health Care Financing Administration (HCFA) databases (e.g., 
Denominator file identifies the population being studied; Standard 
Analytical files on inpatient, outpatient, physician supplier, nursing 
home, hospice, home care, durable medical equipment; and Group and 
other Health Plans).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    5 U.S.C. 306, 38 U.S.C. 527, and Sections 211 and 805 of Public Law 
108-454.

PURPOSE(S):
    The purpose of this system of records is to collect data about the 
characteristics of America's veteran, service member, family member, 
and beneficiary population through surveys that may be augmented with 
information from several existing VA systems of records and with 
information from non-VA sources to:
    1. Conduct statistical studies and analyses relevant to VA programs 
and services.
    2. Plan and improve services provided;
    3. Decide about VA policies, programs, and services;
    4. Study the VA's role in the use of VA and non-VA benefits and 
services; and
    5. Study the relationship between the use of VA benefits and 
services and the use of related benefits and services from non-VA 
sources. These types of studies are needed for VA to forecast future 
demand for VA benefits and services.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSE OF SUCH USES:
    To the extent that records contained in the system include 
information protected by 45 CFR parts 160 and 164, i.e., individually 
identifiable health information, and 38 U.S.C. 7332, i.e., medical 
treatment information related to drug abuse, alcoholism, or alcohol 
abuse, sickle cell anemia, or infection with the human immunodeficiency 
virus, that information cannot be disclosed under a routine use unless 
there is also specific statutory authority in 38 U.S.C. 7332 and 
regulatory authority in 45 CFR parts 160 and 164 permitting disclosure.
    1. Any system records may be disclosed to the National Archives and 
Records Administration (NARA), and General Services Administration 
(GSA) for records management inspections conducted under the authority 
of 44 United States Code.
    2. Any system records may be disclosed to individuals, 
organizations, private or public agencies, or other entities or 
individuals with whom VA has a contract or agreement for the 
performance of the services identified in the contract or agreement. 
The person performing the agreement or contract (or employees of the 
person) also may disclose records covered by the contract or agreement 
to any secondary entity or individual to perform an activity necessary 
to provide to VA the service identified in the contract or agreement as 
permitted under the contract or agreement.
    3. VA may disclose on its own initiative any information in this 
system, except the names and home addresses of veterans and their

[[Page 17232]]

dependents, which is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal or regulatory in nature and 
whether arising by general or program statute or by regulation, rule or 
order issued pursuant thereto, to a Federal, State, local, tribal, or 
foreign agency charged with the responsibility of investigating or 
prosecuting such violation, or charged with enforcing or implementing 
the statute, regulation, rule or order. On its own initiative, VA may 
also disclose the names and addresses of veterans and their dependents 
to a Federal agency charged with the responsibility of investigating or 
prosecuting civil, criminal or regulatory violations of law, or charged 
with enforcing or implementing the statute, regulation, rule or order 
issued pursuant thereto.
    4. Any system records may be disclosed to a Federal agency for the 
conduct of research and data analysis to perform a statutory purpose of 
that Federal agency upon the prior written request of that agency, 
provided that there is legal authority under all applicable 
confidentiality statutes and regulations to provide the data and OPP 
has determined prior to the disclosure that OPP data handling 
requirements are satisfied. OPP may disclose limited individual 
identification information to another Federal agency for the purpose of 
matching and acquiring information held by that agency for OPP to use 
for the purposes stated for this system of records.
    5. Any system records may be disclosed to a Member of Congress or 
to a Congressional staff member in response to an inquiry of the 
Congressional Office made at the written request of the constituent 
about whom the record is maintained.
    6. VA may disclose information in this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that disclosure of the records to the 
Department of Justice is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records. VA, on its own initiative, may disclose records in this system 
of records in legal proceedings before a court or administrative body 
after determining that the disclosure of the records to the court or 
administrative body is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records.
    7. VA may, on its own initiative, disclose information when VA 
reasonably believes that there may have been a data breach with respect 
to information in the system such that the confidentiality or integrity 
of information in the system of records may have been compromised to 
such agencies, entities, and persons who are reasonably necessary to 
assist in connection with the Department's efforts to respond to the 
suspected or confirmed data breach and prevent, minimize, or remedy 
such harm, including conduct of any risk analysis, or provision of 
credit protection services as provided in 38 U.S.C. 5724.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING 
AND DISPOSING OF RECORDS IN THE SYSTEM
STORAGE:
    VA sensitive information includes health information that is stored 
on electronic media, laser optical media, on a segregated secure server 
or in paper form. Electronic media, or laser optical media data are 
kept locked in a safe when not in immediate use. The data is located in 
a combination-locked safe which is secured inside a key-accessed room 
at the U.S. Department of Veterans Affairs, 810 Vermont Avenue, NW., 
Washington, DC 20420. Information stored on paper is kept locked in 
file cabinets when not in immediate use. Databases are temporarily 
placed on a secured server inside a restricted network area for data 
match purposes only. Information that resides on a segregated server is 
kept behind cipher locked doors with limited access. Requestors of OPP 
stored health information within VA, or from external individuals, 
contractors, organizations, and/or agencies with whom VA has a contract 
or agreement, must provide an equivalent level of security protection 
and comply with current VA policies and procedures for storage and 
transmission as codified in VA directives such as but not limited to VA 
Directive 6504.

RETRIEVABILITY:
    Health care information is kept separate from individual 
identifiers. Unique codes are assigned to individual health 
information. A codebook for decoding is stored in a safe for name, 
social security number or other assigned identifiers of the individuals 
on whom they are maintained. These records may be retrieved by name, 
address, social security number, date of birth, military service 
number, claim or file number, DoD's identification numbers, or other 
personal identifiers.

SAFEGUARDS:
    1. This list of safeguards furnished in this System of Record is 
not an exclusive list of measures that has been, or will be, taken to 
protect individually-identifiable information. HIPAA guidelines for 
protecting health information will be followed by adopting health care 
industry best practices in order to provide adequate safeguards. 
Further, VA policy directives that specify the standards that will be 
applied to protect health information will be reviewed by VA staff and 
contractors through mandatory data privacy and security training.
    2. Access to data storage areas is restricted to authorized VA 
employee or contract staff who have been cleared to work by the VA 
Office of Security and Law Enforcement. Health information file areas 
are locked after normal duty hours. VA facilities are protected from 
outside access by the Federal Protective Service and/or other security 
personnel.
    3. Access to health information provided by the Veterans Health 
Administration (VHA) pursuant to a Business Associate Agreement (BAA) 
is restricted to those OPP employees and contractors who have a need 
for the information in the performance of their official duties. As a 
general rule, full sets of health care information are not provided for 
use unless authorized by the Assistant Secretary. File extracts 
provided for specific official uses will be limited to contain only the 
information fields needed for the analysis. Data used for analyses will 
have individual identifying characteristics removed whenever possible.
    4. Security complies with applicable Federal Information Processing 
Standards (FIPS) issued by the National Institute of Standards and 
Technology (NIST). Health information files containing unique 
identifiers such as social security numbers are encrypted to NIST 
verified FIPS 140-2 standard or higher for storage, transport, or 
transmission. All files stored or transmitted on laptops, workstations, 
data storage devices and media are encrypted. Files are kept encrypted 
at all times except when data is in immediate use. These methods are 
applied in accordance with HIPAA regulations [45 CFR 164.514] and VA 
Directive 6504.
    5. Contractors and their subcontractors are required to maintain 
the same level of security as VA staff for health care information that 
has been disclosed to them. Any data disclosed to

[[Page 17233]]

a contractor or subcontractor to perform authorized analyses requires 
the use of Data Use Agreements, Non-Disclosure Statements and Business 
Associates Agreements (BAA's) to protect health information. Unless 
explicitly authorized in writing by the VA, sensitive or protected data 
made available to the contractor and subcontractors shall not be 
divulged or made known in any manner to any person. Other federal or 
state agencies requesting health care information need to provide Data 
Use Agreements to protect data.
    6. OPP's work area is accessed for business-only needs. The data is 
stored in a combination-protected safe which is secured inside a 
limited access room. Direct access to the safe is controlled by select 
individuals who possess background security clearances. Only a few 
employees with strict business needs or ``need-to-know'' access and 
completed background checks will ever handle the data once it is 
removed from the safe for data match purposes.
    7. Data matches are conducted on a secured server which is housed 
in a restricted access network area with appropriate locking devices. 
Access to such records are controlled by three measures: The 
application of a VA security identification card coded with special 
permissions network area's key pad; the proper input of a series of 
individually-unique passwords/codes by a recognized user; and the 
entrance of those select individuals for the performance of their 
official information technology-related duties.
    8. Access to Automated Data Processing (ADP) files is controlled by 
using an individually unique password entered in combination with an 
individually unique user identification code.
    9. Access to VA facilities where identification codes, passwords, 
security profiles and possible security violations are maintained is 
controlled at all hours by the Federal Protective Service, VA, or other 
security personnel and security access control devices.
    10. Public use files prepared for purposes of research and analysis 
are purged of personal identifiers.
    11. Paper records, when they exist, are maintained in a locked room 
at the WNRC. The Federal Protective Service protects paper records from 
unauthorized access.

RETENTION AND DISPOSAL:
    Records are maintained and disposed of in accordance with the 
records disposition authority approved by the Archivist of the United 
States and the National Archives and Records Administration (NARA) and 
published in Agency Records Control Schedules. If the Archivist has not 
approved disposition authority for any records covered by the system 
notice, the System Manager will take immediate action to have the 
disposition of records in the system reviewed in accordance with VA 
Handbook 6300.1, Records Management Procedures. The records may not be 
destroyed until VA obtains an approved records disposition authority. 
See Records Control Schedule (RCS) 10-1 for further guidance. OPP 
destroys electronic files when no longer needed for administrative, 
legal, audit, or other operational purposes. In accordance with title 
36 CFR, Section 1234.34, Destruction of Electronic Records, 
``electronic records may be destroyed only in accordance with a records 
disposition schedule approved by the Archivist of the United States, 
including General Records Schedules.''

SYSTEM MANAGER(S) AND ADDRESS(ES):
    Director, Policy Analysis Service (008A1), 810 Vermont Avenue, NW., 
Washington, DC 20420.

NOTIFICATION PROCEDURE:
    An individual who wants to determine whether the Director, Policy 
Analysis Service (008A1) is maintaining a record under the individual's 
name or other personal identifier or wants to determine the content of 
such records must submit a written request to the Director, Program 
Analysis Service (008A1). The individual seeking this information must 
prove his or her identity and provide the name of the survey in 
question, approximate date of the survey, social security number, full 
name, and date of birth, telephone number, and return address. All 
inquiries must reasonably identify the health care information involved 
and the approximate date that medical care was provided.

RECORDS ACCESS PROCEDURES:
    Individual seeking information regarding access to and contesting 
of records maintained by the Office of Policy and Planning under his or 
her name or other personal identifier may write the System Manager 
named above and specify the information being requested or contested.

CONTESTING RECORD PROCEDURES:
    (See Records Access Procedures.)

RECORDS SOURCE CATEGORIES:
    Information in this system of records is obtained from survey 
questionnaire data provided by veterans, veteran family members, 
military service members, families of service members, or VA 
beneficiaries in a survey sample and from veterans, family members, 
military service members, or beneficiaries on specific VA benefit 
rolls. Information may also be obtained from the Patient Medical 
Records System (24VA19), the Patient Fee Basis Medical and Pharmacy 
Records (23VA19); Veterans and Beneficiaries Identification and Records 
Location Subsystem (38VA23); Compensation, Pension, Education, and 
Rehabilitation Records (58VA21/22); Health Care Eligibility Center 
Records (89VA19); DoD utilization files and DEERS files; and HCFA 
Denominator file or its successor, Standard Analytical files 
(inpatient, outpatient, physician supplier, nursing home, hospice, home 
care, durable medical equipment) and Group Health Plan, and other 
public or private health provider, federal agency, or insurance 
programs and plans.

[FR Doc. E7-6233 Filed 4-5-07; 8:45 am]
BILLING CODE 8320-01-P