Privacy Act of 1974, 46130-46133 [E7-16046]

Agencies

• DEPARTMENT OF VETERANS AFFAIRS

[Federal Register Volume 72, Number 158 (Thursday, August 16, 2007)]
[Notices]
[Pages 46130-46133]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E7-16046]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of amendment to system of records.

-----------------------------------------------------------------------

SUMMARY: The Privacy Act of 1974 (5 U.S.C. 552a(e)(4)) requires that 
all agencies publish in the Federal Register a notice of the existence 
and character of their system of records. Notice is hereby given that 
VA is amending the system of records entitled ``Consolidated Data 
Information System-VA'' (97VA105) as set forth in the Federal Register 
66 FR 3650-3653 dated January 16, 2001. VA is amending the system by 
revising the System Location, Categories of Records Maintained in the 
System, Purpose(s), Routine Uses of Records Maintained in the System, 
Retention and Disposal, System Manager and Record Source Categories. VA 
is republishing the system notice in its entirety.

DATES: Comments on the amendment of this system of records must be 
received no later than September 17, 2007. If no public comment is 
received, the amended system will become effective September 17, 2007.

ADDRESSES: Written comments may be submitted through https://
www.Regulations.gov; by mail or hand-delivery to the Director, 
Regulations Management (00REG), Department of Veterans Affairs, 810 
Vermont Ave., NW., Room 1068, Washington, DC 20420; or by fax to (202) 
273-9026. Copies of comments received will be available for public 
inspection in the Office of Regulation Policy and Management, Room 
1063B, between the hours of 8 a.m. and 4:30 p.m. Monday through Friday 
(except holidays). Please call (202) 273-9515 for an appointment. In 
addition, during the comment period, comments may be viewed online 
through the Federal Docket Management System (FDMS).

FOR FURTHER INFORMATION CONTACT: Stephania H. Putt, Veterans Health 
Administration (VHA) Privacy Officer (19F2), Department of Veterans 
Affairs, 810 Vermont Avenue, NW., Washington, DC 20420, (727) 320-1839.

SUPPLEMENTARY INFORMATION: Under section 527 of Title 38, U.S.C., and 
the Government Performance and Results Act of 1993, Public Law 103-62, 
VA is required to measure and evaluate, on an ongoing basis, the 
effectiveness of VA benefit programs and services. In performing this 
required function, VA must collect, collate and analyze full 
statistical data regarding participation, provision of services, 
categories of beneficiaries, and planning of expenditures for all VA 
programs. This combined database is necessary for the Veterans Health 
Administration (VHA) to accurately and timely assess the current health 
care usage by the patient population served by VA, to forecast future 
demand for VA medical care by individuals currently eligible for 
service by VA medical facilities, and to understand the numerous 
implications of cross-usage between VA and non-VA health care systems.

[[Page 46131]]

    As VA has widened its scope of the Centers for Medicare and 
Medicaid Services (CMS) data usage and further centralized the source 
of data in order to improve efficiency and protect privacy/security of 
data elements, it was necessary to implement changes to the management 
and use of these records. A summary of these changes follows:
    1. The purpose of this system of records has been revised to add 
the need to use the records and information for audit and evaluation of 
Department programs, for determinations of eligibility for benefits and 
for research as defined by Common Rule.
    2. The records are now maintained and retained at the primary and 
secondary VA recipient CMS data site locations listed in Appendix 5.
    3. Under Categories of Records information from the Persian Gulf 
registry has been added and the types of CMS records maintained now 
includes health care utilization, demographic, enrollment, and survey/
assessment files including veteran and non-veteran data. In addition, 
information on veterans enrolled for VA health care who have 
participated in the periodic ``VHA Survey of Veteran Enrollees' Health 
and Reliance Upon VA'' is now included in the system.
    4. System Manager and Address was updated to reflect: Manager, 
Medicare and Medicaid Analysis Center, 100 Grandview Rd., Suite 114, 
Braintree, MA 02184.
    Under section 264, Subtitle F of Title II of the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA) Public Law 104-191, 
100 STAT. 1936, 2033-34 (1996), the United States Department of Health 
and Human Services (HHS) published a final rule, as amended, 
establishing Standards for Privacy of Individually-Identifiable Health 
Information, 45 CFR Parts 160 and 164. VHA may not disclose 
individually-identifiable health information (as defined in HIPAA and 
the Privacy Rule, 42 U.S.C. 1320(d)(6) and 45 CFR 164.501) pursuant to 
a routine use unless either: (a) The disclosure is required by law, or 
(b) the disclosure is also permitted or required by the HHS Privacy 
Rule. The disclosures of individually-identifiable health information 
contemplated in the routine uses published in this amended system of 
records notice are permitted under the Privacy Rule or required by law. 
However, to also have authority to make such disclosures under the 
Privacy Act, VA must publish these routine uses. Consequently, VA is 
adding a preliminary paragraph to the routine uses portion of the 
system of records notice stating that any disclosure pursuant to the 
routine uses in this system of records notice must be either required 
by law or permitted by the Privacy Rule before VHA may disclosed the 
covered information. VA is also proposing to amend the following 
routine use disclosures of information maintained in the system:
     Routine use 3 has been amended in its entirety. On its own 
initiative, the VA may disclose information, except for the names and 
home addresses of veterans and their dependents, to a Federal, State, 
local, tribal or foreign agency charged with the responsibility of 
investigating or prosecuting civil, criminal or regulatory violations 
of law, or charged with enforcing or implementing the statute, 
regulation, rule or order issued pursuant thereto. On its own 
initiative, the VA may also disclose the names and addresses of 
veterans and their dependents to a Federal agency charged with the 
responsibility of investigating or prosecuting civil, criminal or 
regulatory violations of law, or charged with enforcing or implementing 
the statute, regulation, rule or order issued pursuant thereto.
     Routine uses 4, 5, 7, and 8 have revised for ease of 
readability and clarification. VA is also proposing to add the 
following routine use disclosure of information maintained in the 
system:
     Routine use 9 was added to disclose to appropriate 
agencies, entities, and persons under the following circumstances: When 
(1) It is suspected or confirmed that the security or confidentiality 
of information in the system of records has been compromised; (2) the 
Department has determined that as a result of the suspected or 
confirmed compromise there is a risk of embarrassment or harm to the 
reputations of the record subjects, harm to economic or property 
interests, identity theft or fraud, or harm to the security or 
integrity of this system or other systems or programs (whether 
maintained by the Department or another agency or entity) that rely 
upon the compromised information; and (3) the disclosure is made to 
such agencies, entities, and persons who are reasonably necessary to 
assist in connection with the Department's efforts to respond to the 
suspected or confirmed compromise and prevent, minimize, or remedy such 
harm.
    The Privacy Act permits VA to disclose information about 
individuals without their prior written consent for a routine use when 
the information will be used for a purpose that is compatible with the 
purpose for which we collected the information. In all of the routine 
use disclosures described above, the recipient of the information will 
use the information in connection with a matter relating to one of VA's 
programs, will use the information to provide a benefit to VA, or 
disclosure is required by law.
    The Report of Intent to Publish an Amended System of Records Notice 
and an advance copy of the system notice have been sent to the 
appropriate Congressional committees and to the Director of Office of 
Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy 
Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

    Approved: August 1, 2007.
Gordon H. Mansfield,
Deputy Secretary of Veterans Affairs.
97VA105

SYSTEM NAME:
    Consolidated Data Information System-VA.

SYSTEM LOCATION(S):
    Records will be maintained at primary and secondary Department of 
Veteran Affairs (VA) recipient sites for the Centers for Medicare & 
Medicaid Services (CMS) data (see VA Appendix 5).

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Records include information concerning veterans, their spouses and 
their dependents, family members, active duty military personnel, and 
individuals who are not VA beneficiaries, but who receive health care 
services from the Veterans Health Administration (VHA).

CATEGORIES OF RECORDS IN THE SYSTEM:
    Categories of records in the system will include veterans' names, 
addresses, dates of birth, VA claim numbers, social security numbers 
(SSNs), and military service information; medical benefit application 
and eligibility information; code sheets and follow-up notes; 
sociological, diagnostic, counseling, rehabilitation, drug and alcohol, 
dietetic, medical, surgical, dental, psychological, and/or psychiatric 
medical information; prosthetic, pharmacy, nuclear medicine, social 
work, clinical laboratory and radiology information; patient scheduling 
information; family information such as next of kin, spouse and 
dependents' names, addresses, social security numbers and dates of 
birth; family medical history; employment information; financial 
information; third-party health plan information; information related 
to registry systems,

[[Page 46132]]

such as Ionizing Radiation, Gulf War and Agent Orange; date of death; 
VA claim and insurance file numbers; travel benefits information; 
military decorations; disability or pension payment information; amount 
of indebtedness arising from 38 U.S.C. benefits; medical and dental 
treatment in the Armed Forces and claim information; applications for 
compensation, pension, education and rehabilitation benefits; 
information related to incarceration in a penal institution; medication 
profile such as name, quantity, prescriber, dosage, manufacturer, lot 
number, cost and administration instruction; pharmacy dispensing 
information such as pharmacy name and address.
    The records will include information on the Department of Defense 
(DoD) military personnel from two categories of DoD files: (1) 
Utilization files that contain inpatient and outpatient records, and 
(2) eligibility files from the Defense Eligibility Enrollment Reporting 
System (DEERS) containing data on all military personnel including 
those discharged from the Armed Services since 1972.
    The records will include information on Medicare beneficiaries from 
CMS databases including: Health care usage, demographic, enrollment, 
and survey/assessment files including veteran and non-veteran data.
    The records include information on Medicaid beneficiaries' 
utilization and enrollment from State databases.
    The records will include information on veterans enrolled for VA 
health care who have participated in the periodic ``VHA Survey of 
Veteran Enrollees'' Health and Reliance Upon VA.''

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Section 527 of 38 U.S.C. and the Government Performance and Results 
Act of 1993, Public Law 103-62.

PURPOSE(S):
    The purpose of this system of records is to conduct statistical 
studies and analyses which will support the formulation of Departmental 
policies and plans by identifying the total current health care usage 
of the VA patient population. The records and information may be used 
by VA for audit and evaluation of Department programs and for 
determinations of eligibility for benefits. The information may be used 
to conduct research.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSE OF SUCH USES:
    VA may disclose protected health information pursuant to the 
following routine uses where required by law, or required or permitted 
by 45 CFR Parts 160 and 164.
    1. Disclosure of identifying information, such as names, SSNs, 
demographic and utilization data, may be made to Federal, State, local, 
or tribal agencies such as the DoD, CMS, and Medicare Payment Advisory 
Commission (MedPAC), as part of statistical matching programs for the 
purpose of better identifying the total current health care usage of 
the patient population served by VA in order to forecast future demand 
for VA medical care by VA medical facilities.
    2. Disclosure may be made to Federal, State, local, and tribal 
government agencies and national health organizations in order to 
assist in the development of programs that will be beneficial to 
claimants and assure that they are receiving all benefits to which they 
are entitled.
    3. VA may disclose on its own initiative any information in this 
system, except the names and home addresses of veterans and their 
dependents, which is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal or regulatory in nature and 
whether arising by general or program statute or by regulation, rule or 
order issued pursuant thereto, to a Federal, State, local, tribal, or 
foreign agency charged with the responsibility of investigating or 
prosecuting such violation, or charged with enforcing or implementing 
the statute, regulation, rule or order. On its own initiative, VA may 
also disclose the names and addresses of veterans and their dependents 
to a Federal agency charged with the responsibility of investigating or 
prosecuting civil, criminal or regulatory violations of law, or charged 
with enforcing or implementing the statute, regulation, rule or order 
issued pursuant thereto.
    4. Disclosure may be made, excluding name and address (unless name 
and address are furnished by the requestor) for research purposes 
determined to be necessary and proper, to epidemiological and other 
research facilities approved by the System Manager or the Under 
Secretary for Health, or designee.
    5. Any record in the system records may be disclosed to a Federal 
agency for the conduct of research and data analysis to perform a 
statutory purpose of that Federal agency upon the prior written request 
of that agency, provided that there is legal authority under all 
applicable confidentiality statutes and regulations to provide the data 
and the VHA Medicare and Medicaid Analysis Center (MAC) has determined 
prior to the disclosure that VA data handling requirements are 
satisfied. MAC may disclose limited individual identification 
information to another Federal agency for the purpose of matching and 
acquiring information held by that agency for MAC to use for the 
purposes stated for this system of records.
    6. Disclosure may be made to National Archives and Records 
Administration (NARA), General Services Administration (GSA) in records 
management inspections conducted under authority of 44 U.S.C.
    7. VA may disclose information in this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that disclosure of the records to the 
Department of Justice is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records. VA, on its own initiative, may disclose records in this system 
of records in legal proceedings before a court or administrative body 
after determining that the disclosure of the records to the court or 
administrative body is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records.
    8. Disclosure may be made to individuals, organizations, private or 
public agencies, or other entities or individuals with whom VA has a 
contract or agreement to perform such services as VA may deem 
practicable for the purposes of laws administered by VA, in order for 
the contractor, subcontractor, public or private agency, or other 
entity or individual with whom VA has an agreement or contract to 
perform the services of the contract or agreement. This routine use 
includes disclosures by the individual or entity performing the service 
for VA to any secondary entity or individual to perform an activity 
that is necessary for individuals, organizations, private or public 
agencies, or other entities or individuals with whom VA has a contract 
or agreement to provide the service to VA.
    9. Any records may be disclosed to appropriate agencies, entities, 
and persons under the following circumstances: When (1) It is suspected 
or confirmed that the security or confidentiality of information in the

[[Page 46133]]

system of records has been compromised; (2) the Department has 
determined that as a result of the suspected or confirmed compromise 
there is a risk of embarrassment or harm to the reputations of the 
record subjects, harm to economic or property interests, identity theft 
or fraud, or harm to the security or integrity of this system or other 
systems or programs (whether maintained by the Department or another 
agency or entity) that rely upon the compromised information; and (3) 
the disclosure is made to such agencies, entities, and persons who are 
reasonably necessary to assist in connection with the Department's 
efforts to respond to the suspected or confirmed compromise and 
prevent, minimize, or remedy such harm.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Data are maintained on magnetic tape, disk, or laser optical media.

RETRIEVABILITY:
    Records may be retrieved by name, name and one or more criteria 
(e.g., dates of birth, death and service), SSN or VA claim number.

SAFEGUARDS:
    1. Access to and use of these records is limited to those persons 
whose official duties require such access. Personnel screening is 
employed to prevent unauthorized disclosure.
    2. Access to Automated Data Processing files is controlled at two 
levels: (1) Terminals, central processing units, and peripheral devices 
are generally placed in secure areas (areas that are locked or have 
limited access) or are otherwise protected; and (2) the system 
recognizes authorized users by means of an individually unique password 
entered in combination with an individually unique user identification 
code.
    3. Access to automated records concerning identification codes and 
codes used to access various VA automated communications systems and 
records systems, as well as security profiles and possible security 
violations is limited to designated automated systems security 
personnel who need to know the information in order to maintain and 
monitor the security of VA's automated communications and veterans' 
claim records systems. Access to these records in automated form is 
controlled by individually unique passwords/codes. Agency personnel may 
have access to the information on a need to know basis when necessary 
to advise agency security personnel or for use to suspend or revoke 
access privileges or to make disclosures authorized by a routine use.
    4. Access to VA facilities where identification codes, passwords, 
security profiles and possible security violations are maintained is 
controlled at all hours by the Federal Protective Service, VA or other 
security personnel and security access control devices.

RETENTION AND DISPOSAL:
    Copies of back-up computer files will be maintained at primary and 
secondary VA recipient sites for CMS data (see Appendix 5). Records 
will be maintained and disposed of in accordance with the records 
disposal authority approved by the Archivist of the United States, the 
National Archives and Records Administration, and published in Agency 
Records Control Schedules.

SYSTEM MANAGER AND ADDRESS:
    Manager, Medicare and Medicaid Analysis Center, 100 Grandview Rd., 
Suite 114, Braintree, MA 02184.

NOTIFICATION PROCEDURE:
    Individuals wishing to inquire whether this system of records 
contains information about them should submit a signed written request 
to the Manager, Medicare and Medicaid Analysis Center, 100 Grandview 
Rd., Suite 114, Braintree, MA 02184.

RECORDS ACCESS PROCEDURES:
    An individual who seeks access to records maintained under his or 
her name or other personal identifier may write the System Manager 
named above and specify the information being contested.

CONTESTING RECORD PROCEDURES:
    (See Records Access Procedures above.)

RECORD SOURCE CATEGORIES:
    Information may be obtained from the Patient Medical Records System 
(24VA136); Patient Fee Basis Medical and Pharmacy Records (23VA136); 
Veterans and Beneficiaries Identification and Records Location 
Subsystem (38VA23); Compensation, Pension, Education and Rehabilitation 
Records (58VA21/22); all other potential VA and non-VA sources of 
veteran demographic information; DoD utilization files and DEERS files; 
and CMS databases.

VA Appendix 5

Primary and Secondary VA Recipient Sites of CMS Data

    1. Primary Site: Medicare and Medicaid Analysis Center, 100 
Grandview Rd., Suite 114, Braintree, MA 02184.
    2. Secondary Site: Veterans Health Administration (VHA) Office 
of the Assistant Deputy Under Secretary for Health (ADUSH) for 
Policy and Planning, 810 Vermont Avenue, NW., Washington, DC, 20420. 
Location of data for ADUSH at 811 Vermont Avenue, NW., Washington, 
DC, 20420; Silver Springs, MD; and/or Martinsburg, WV.
    3. Secondary Site: VA Information Resource Center (VIReC), Hines 
VA Medical Center, 5th Ave & Roosevelt Ave, Hines, IL, 60141.
    4. Secondary Site: VA Office of the Inspector General (OIG), 
53CT, 1615 Woodward Street, Austin, TX, 78772.
    5. Secondary Site: VA Austin Automation Center (AAC), 1615 
Woodward Street, Austin, TX, 78722.
    6. Secondary Site: VA Chief Business Office (CBO), Director of 
Business Development, 810 Vermont Ave, NW., Washington, DC, 20420.
    7. Secondary Site: VISN Support Service Center (VSSC), 1615 
Woodward Street, Austin, TX, 78722.

 [FR Doc. E7-16046 Filed 8-15-07; 8:45 am]
BILLING CODE 8320-01-P