Privacy Act of 1974, 15847-15852 [E8-5956]

Agencies

• DEPARTMENT OF VETERANS AFFAIRS

[Federal Register Volume 73, Number 58 (Tuesday, March 25, 2008)]
[Notices]
[Pages 15847-15852]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-5956]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974

AGENCY: Department of Veterans Affairs (VA).

[[Page 15848]]


ACTION: Notice of New System of Records.

-----------------------------------------------------------------------

SUMMARY: The Privacy Act of 1974 (5 U.S.C. 552(e)(4)) requires that all 
agencies publish in the Federal Register a notice of the existence and 
character of their systems of records. Notice is hereby given that the 
Department of Veterans Affairs (VA) is establishing a new system of 
records entitled ``Enrollment and Eligibility Records-VA'' (147VA16) 
formerly included and described in the ``Health Eligibility Records-
VA'' (89VA19) system of records last amended in the Federal Register on 
May 18, 2001, which has been renamed, ``Income Verification Records'' 
66 FR 27752 (May 18, 2001).

DATES: Comments on this new system of records must be received no later 
than April 24, 2008. If no public comment is received, or unless 
otherwise published in the Federal Register by VA, the new system will 
become effective April 24, 2008.

ADDRESSES: Written comments may be submitted through https://
www.Regulations.gov; by mail or hand delivery to the Director, 
Regulations Management (00REG), Department of Veterans Affairs, 810 
Vermont Ave., NW., Room 1068, Washington, DC 20420; or by fax to (202) 
273-9026. Copies of comments received will be available for public 
inspection in the Office of Regulation Policy and Management, Room 
1063B, between the hours of 8 a.m. and 4:30 p.m. Monday through Friday 
(except holidays). Please call (202) 273-9515 for an appointment. In 
addition, during the comment period, comments may be viewed online 
through the Federal Docket Management System (FDMS) at https://
www.Regulations.gov.

FOR FURTHER INFORMATION CONTACT: Stephania H. Putt, Veterans Health 
Administration (VHA) Privacy Officer, Department of Veterans Affairs, 
810 Vermont Avenue, NW., Washington, DC 20420, telephone (704) 245-
2492.

SUPPLEMENTARY INFORMATION: Background: Title 38 U.S.C. Section 1705 
requires VHA to establish a system of annual patient enrollment to 
manage the delivery of health care.

I. Description of Proposed Systems of Records

    This system of records is used to establish and maintain 
applicants' records necessary to support the delivery of health care 
benefits; establish applicants' eligibility for VA health care 
benefits; to operate an annual enrollment system; provide eligible 
veterans with an identification card; collect from applicants' health 
insurance provider for care of their nonservice-connected conditions; 
provide educational materials related to VA health care benefits, 
enrollment, and eligibility; respond to veteran and non-veteran 
inquiries related to VA health care benefits, enrollment, and 
eligibility; and compile management reports.

II. Proposed Routine Use Disclosures of Data in the System

    To the extent that records contained in the system include 
information protected by 45 CFR Parts 160 and 164, (i.e., individually-
identifiable health information) that information cannot be disclosed 
under a routine use unless there is also specific regulatory authority 
in 45 CFR Parts 160 and 164 permitting disclosure. VA may disclose 
protected health information pursuant to the following routine uses 
where required by law, or required or permitted by 45 CFR Parts 160 and 
164.
    1. VA may disclose information from this system of records, as 
deemed necessary and proper, to named individuals serving as accredited 
service organization representatives and other individuals named as 
approved agents or attorneys for a documented purpose and period of 
time, to aid beneficiaries in the preparation and presentation of their 
cases during verification and/or due process procedures and in the 
presentation and prosecution of claims under laws administered by VA.
    2. VA may disclose on its own initiative any information in this 
system, except the names and home addresses of veterans and their 
dependents, which is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal or regulatory in nature and 
whether arising by general or program statute or by regulation, rule or 
order issued pursuant thereto, to a Federal, State, local, or foreign 
agency charged with the responsibility of investigating or prosecuting 
such violation, or charged with enforcing or implementing the statute, 
regulation, rule or order. On its own initiative, VA may also disclose 
the names and addresses of veterans and their dependents to a Federal 
agency charged with the responsibility of investigating or prosecuting 
civil, criminal or regulatory violations of law, or charged with 
enforcing or implementing the statute, regulation, rule or order issued 
pursuant thereto.
    3. VA may disclose information to private attorneys representing 
veterans rated incompetent in conjunction with issuance of Certificates 
of Incompetence, in the course of presenting evidence to a court, 
magistrate or administrative tribunal in matters of guardianship, 
inquests and commitments, and to probation and parole officers in 
connection with Court required duties.
    4. VA may disclose information to a VA Federal fiduciary or a 
guardian ad litem in relation to his or her representation of a 
veteran, but only to the extent necessary to fulfill the duties of the 
VA Federal fiduciary or the guardian ad litem.
    5. VA may disclose information to attorneys, insurance companies, 
employers, third parties liable or potentially liable under health plan 
contracts, and courts, boards, or commissions, but only to the extent 
necessary to aid VA in the preparation, presentation, and prosecution 
of claims authorized under Federal, State, or local laws, and 
regulations promulgated hereunder.
    6. VA may disclose information in this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that disclosure of the records to the 
Department of Justice is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records. VA, on its own initiative, may disclose records in this system 
of records in legal proceedings before a court or administrative body 
after determining that the disclosure of the records to the court or 
administrative body is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records.
    7. VA may disclose information to the National Archives and Records 
Administration (NARA) and General Services Administration (GSA) in 
records management inspections conducted under authority of title 44 
United States Code.
    8. VA may disclose information for the purposes identified below to 
a third party, except consumer reporting agencies, in connection with 
any proceeding for the collection of an amount owed to the United 
States by virtue of a person's participation in any benefit program 
administered by VA. Information may be disclosed under this routine use 
only to the extent that it is reasonably necessary for the following 
purposes: (a) To assist VA in the collection of costs of services 
provided

[[Page 15849]]

individuals not entitled to such services; (b) to initiate civil or 
criminal legal actions for collecting amounts owed to the United States 
and (c) for prosecuting individuals who willfully or fraudulently 
obtained or seek to obtain title 38 medical benefits. This disclosure 
is consistent with 38 U.S.C. 5701(b)(6).
    9. VA may disclose the name and address of a veteran, other 
information as is reasonably necessary to identify such veteran, and 
any information concerning the veteran's indebtedness to the United 
States by virtue of the person's participation in a benefits program 
administered by VA to a consumer reporting agency for purposes of 
assisting in the collection of such indebtedness, provided that the 
provisions of 38 U.S.C. 5701(g)(4) have been met.
    10. VA may disclose information to individuals, organizations, 
private or public agencies, or other entities with whom VA has a 
contract or agreement to perform such services as VA may deem 
practicable for the purposes of laws administered by VA in order for 
the individual or entity with whom VA has an agreement or contract to 
perform the services of the contract or agreement. This routine use 
includes disclosures by the individual or entity performing the service 
for VA to any secondary individual or entity to perform an activity 
that is necessary for the individual or entity with whom VA has a 
contract or agreement to provide the service to VA.
    11. The record of an individual who is covered by a system of 
records may be disclosed to a member of Congress, or a staff person 
acting for the member, when the member or staff person requests the 
record on behalf of and at the written request of the individual.
    12. VA may disclose information to other Federal agencies to assist 
such agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    13. VA may, on its own initiative, disclose any information or 
records to appropriate agencies, entities, and persons when (1) VA 
suspects or has confirmed that the integrity or confidentiality of 
information in the system of records has been compromised; (2) the 
Department has determined that as a result of the suspected or 
confirmed compromise, there is a risk of embarrassment or harm to the 
reputations of the record subjects, harm to economic or property 
interests, identity theft or fraud, or harm to the security, 
confidentiality, or integrity of this system or other systems or 
programs (whether maintained by the Department or another agency or 
entity) that rely upon the potentially compromised information; and (3) 
the disclosure is to agencies, entities, or persons who VA determines 
are reasonably necessary to assist or carry out the Department's 
efforts to respond to the suspected or confirmed compromise and 
prevent, minimize, or remedy such harm. This routine use permits 
disclosure is required by the Memorandum from the Office of Management 
and Budget (M-07-16), dated May 22, 2007, of all systems of records of 
all federal agencies. This routine use also permits disclosures by the 
Department to respond to a suspected or confirmed data breach, 
including the conduct of any risk analysis or provision of credit 
protection services as provided in 38 U.S.C. 5724, as the terms are 
defined in 38 U.S.C. 5727.

III. Compatibility of the Proposed Routine Uses

    The Privacy Act permits VA to disclose information about 
individuals without their consent for a routine use when the 
information will be used for a purpose that is compatible with the 
purpose for which we collected the information. In all of the routine 
use disclosures described above, the recipient of the information will 
use the information in connection with a matter relating to one of VA's 
programs or to provide a benefit to VA, or disclosure is required by 
law.
    Under section 264, Subtitle F of Title II of the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 
100 Stat. 1936, 2033-34 (1996), the United States Department of Health 
and Human Services (HHS) published a final rule, as amended, 
establishing Standards for Privacy of Individually-Identifiable Health 
Information, 45 CFR Parts 160 and 164. VA's Veterans Health 
Administration may not disclose individually-identifiable health 
information (as defined in HIPAA, 42 U.S.C. 1320(d)(6), and the HIPAA 
Privacy Rule, 45 CFR 164.501) pursuant to a routine use unless either: 
(a) the disclosure is required by law, or (b) the disclosure is 
permitted or required by the HIPAA Privacy Rule. The disclosures of 
individually-identifiable health information contemplated in the 
routine uses published in this system of records notice are permitted 
under the Privacy Rule or required by law. In accordance with the 
requirements of the Privacy Act, VA is publishing these routine uses 
and adding a preliminary paragraph to the routine uses portion of the 
system of records notice stating that any disclosure pursuant to the 
routine uses in this system of records notice must be either required 
by law or permitted by the Privacy Rule before VHA may disclose the 
covered information.
    The notice of intent to publish an advance copy of the system 
notice has been sent to the appropriate Congressional committees and to 
the Director of the Office of Management and Budget (OMB) as required 
by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 
77677), December 12, 2000.

Approved: March 11, 2008.
Gordon H. Mansfield,
Deputy Secretary of Veterans Affairs.
147VA16

System Name:
    Enrollment and Eligibility Records--VA.

System Location:
    Records are maintained at the Health Eligibility Center (HEC) in 
Atlanta, Georgia, the Austin Automation Center (AAC) in Austin, Texas, 
at each VA health care facility as described in the VA system of 
records entitled ``Patient Medical Records--24VA19,'' and at the 
Veteran Identification Card (VIC) National Card Management Directory 
(NCMD) located at the Hines, Illinois, and Silver Spring, Maryland VA 
facilities. Electronic and magnetic records are also stored at 
contracted facilities for storage and back-up purposes.

Categories of Individuals Covered By This System:
    The records contain information on individuals who have applied for 
or who have received VA health care benefits under title 38, United 
States Code, chapter 17; the records also include veterans, their 
spouses and dependents as provided for in other provisions of title 38, 
United States Code.

Categories of Records In the System:
    The categories of records in this system may include: Medical 
benefit applications, eligibility and enrollment information, including 
information obtained from Veterans Benefits Administration automated 
records such as the Compensation, Pension, Education and Rehabilitation 
Records--VA'' (58VA21/22), and VIC information including applicant's 
name, address(es), date of birth, Social Security number, race and 
ethnicity, claim number, ICN, applicant's image, preferred facility and 
facility requesting a VIC, names,

[[Page 15850]]

addresses and phone numbers of persons to contact in the event of a 
medical emergency, family information including spouse and dependent(s) 
name(s), address(es) and Social Security number; applicant and spouse's 
employment information, including occupation, employer(s) name(s) and 
address(es); financial information concerning the applicant and the 
applicant's spouse including family income, assets, expenses, debts; 
third party health plan contract information, including health 
insurance carrier name and address, policy number and time period 
covered by policy; facility location(s) where treatment is provided; 
type of treatment provided (i.e., inpatient or outpatient); information 
about the applicant's military service (e.g., dates of active duty 
service, dates and branch of service, and character of discharge, 
combat service dates and locations, military decorations, POW status 
and military service experience including exposures to toxic 
substances); information about the applicant's eligibility for VA 
compensation or pension benefits, and the applicant's enrollment status 
and enrollment priority group. These records also include, but are not 
limited to, individual correspondence provided to the HEC by veterans, 
their family members and veterans' representatives such as Veteran 
Service Officers (VSO), copies of death certificates; form DD 214, 
Certificate of Release or Discharge from Active Duty; disability award 
letters; VA and other pension applications; VA Form 10-10EZ, 
Application for Health Benefits; VA Form 10-10EZR, Health Benefits 
Renewal; VA Form 10-10EC, Application for Extended Care Services; and 
workers compensation forms.

Authority for Maintenance of the System:
    Title 38, United States Code, Sections 501(a), 1705, 1710, 1722, 
and 5317.

Purpose(s):
    Information in this system of records is used to establish and 
maintain applicants' records necessary to support the delivery of 
health care benefits; establish applicants' eligibility for VA health 
care benefits; operate an annual enrollment system; provide eligible 
veterans with an identification card; collect from an applicant's 
health insurance provider for care of their nonservice-connected 
conditions; provide educational materials related to VA health care 
benefits, enrollment and eligibility; respond to veteran and non-
veteran inquiries related to VA health care benefits, enrollment and 
eligibility; and compile management reports.

Routine Uses of Records Maintained In the System, Including Categories 
of Users and the Purposes of Such Uses:
    To the extent that records contained in the system include 
information protected by 45 CFR parts 160 and 164 (i.e., individually 
identifiable health information), that information cannot be disclosed 
under a routine use unless there is also specific regulatory authority 
in 45 CFR parts 160 and 164 permitting disclosure.
    1. VA may disclose information from this system of records, as 
deemed necessary and proper, to named individuals serving as accredited 
service organization representatives and other individuals named as 
approved agents or attorneys for a documented purpose and period of 
time, to aid beneficiaries in the preparation and presentation of their 
cases during the verification and/or due process procedures and in the 
presentation and prosecution of claims under laws administered by VA.
    2. VA may disclose on its own initiative any information in this 
system, except the names and home addresses of veterans and their 
dependents, which is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal or regulatory in nature and 
whether arising by general or program statute or by regulation, rule or 
order issued pursuant thereto, to a Federal, State, local, or foreign 
agency charged with the responsibility of investigating or prosecuting 
such violation, or charged with enforcing or implementing the statute, 
regulation, rule or order. On its own initiative, VA may also disclose 
the names and addresses of veterans and their dependents to a Federal 
agency charged with the responsibility of investigating or prosecuting 
civil, criminal or regulatory violations of law, or charged with 
enforcing or implementing the statute, regulation, rule or order issued 
pursuant thereto.
    3. VA may disclose information from this system of records to 
private attorneys representing veterans rated incompetent in 
conjunction with issuance of Certificates of Incompetence, in the 
course of presenting evidence to a court, magistrate or administrative 
tribunal, in matters of guardianship, inquests and commitments; and to 
probation and parole officers in connection with court required duties.
    4. VA may disclose information to a VA Federal fiduciary or a 
guardian ad litem in relation to his or her representation of a veteran 
only to the extent necessary to fulfill the duties of the VA Federal 
fiduciary or the guardian ad litem.
    5. VA may disclose information to attorneys, insurance companies, 
employers, third parties liable or potentially liable under health plan 
contracts, and to courts, boards, or commissions, but only to the 
extent necessary to aid VA in the preparation, presentation, and 
prosecution of claims authorized under Federal, State, or local laws, 
and regulations promulgated thereunder.
    6. VA may disclose information in this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that disclosure of the records to the 
Department of Justice is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records. VA, on its own initiative, may disclose records in this system 
of records in legal proceedings before a court or administrative body 
after determining that the disclosure of the records to the court or 
administrative body is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records.
    7. VA may disclose information to the National Archives and Records 
Administration (NARA) and General Services Administration (GSA) in 
records management inspections conducted under authority of title 44 
United States Code.
    8. VA may disclose information for the purposes identified below to 
a third party, except consumer reporting agencies, in connection with 
any proceeding for the collection of an amount owed to the United 
States by virtue of a person's participation in any benefit program 
administered by VA. Information may be disclosed under this routine use 
only to the extent that it is reasonably necessary for the following 
purposes: (a) To assist VA in the collection of costs of services 
provided individuals not entitled to such services, (b) to initiate 
civil or criminal legal actions for collecting amounts owed to the 
United States, and (c) for prosecuting individuals who willfully or 
fraudulently obtained or seek to obtain title 38 medical benefits. This 
disclosure is consistent with 38 U.S.C. 5701(b)(6).
    9. VA may disclose information such as the name and address of a 
veteran, or other information as is reasonably

[[Page 15851]]

necessary to identify such veteran, and any information concerning the 
veteran's indebtedness to the United States by virtue of the person's 
participation in a benefits program administered by VA, to a consumer 
reporting agency for purposes of assisting in the collection of such 
indebtedness, provided that the provisions of 38 U.S.C. 5701(g)(4) have 
been met.
    10. VA may disclose information to individuals, organizations, 
private or public agencies, or other entities with whom VA has a 
contract or agreement to perform such services as VA may deem 
practicable for the purposes of laws administered by VA in order for 
the individual or entity with whom VA has an agreement or contract to 
perform the services of the contract or agreement. This routine use 
includes disclosures by the individual or entity performing the service 
for VA to any secondary individual or entity to perform an activity 
that is necessary for the individual or entity with whom VA has a 
contract or agreement to provide the service to VA.
    11. VA may disclose information from the record of an individual 
who is covered by a system of records to a member of Congress, or a 
staff person acting for the member, when the member or staff person 
requests the record on behalf of and at the written request of the 
individual.
    12. VA may disclose information to other Federal agencies to assist 
such agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    13. VA may, on its own initiative, disclose any information or 
records to appropriate agencies, entities, and persons when (1) VA 
suspects or has confirmed that the integrity or confidentiality of 
information in the system of records has been compromised; (2) the 
Department has determined that as a result of the suspected or 
confirmed compromise, there is a risk of embarrassment or harm to the 
reputations of the record subjects, harm to economic or property 
interests, identity theft or fraud, or harm to the security, 
confidentiality, or integrity of this system or other systems or 
programs (whether maintained by the Department or another agency or 
entity) that rely upon the potentially compromised information; and (3) 
the disclosure is to agencies, entities, or persons whom VA determines 
are reasonably necessary to assist or carry out the Department's 
efforts to respond to the suspected or confirmed compromise and 
prevent, minimize, or remedy such harm. This routine use permits 
disclosure is required by the Memorandum from the Office of Management 
and Budget (M-07-16), dated May 22, 2007, of all systems of records of 
all Federal agencies. This routine use also permits disclosures by the 
Department to respond to a suspected or confirmed data breach, 
including the conduct of any risk analysis or provision of credit 
protection services as provided in 38 U.S.C. 5724, as the terms are 
defined in 38 U.S.C. 5727.

Policies and Practices for Storing, Retrieving, Accessing, Retaining 
and Disposing of Records In the System:
Storage:
    Records are maintained on magnetic tape, magnetic disk, optical 
disk and paper at the HEC, VIC databases, VA medical centers, the NCMD 
databases, AAC, contract facilities, and at Federal Record Centers. In 
most cases, copies of back-up computer files are maintained at off-site 
locations and/or agencies with whom VA has a contract or agreement to 
perform such services, as VA may deem practicable.

Retrievability:
    Records are retrieved by name, and/or Social Security number, ICN, 
military service number, claim folder number, correspondence tracking 
number, internal record number (DFN), facility number, or other 
assigned identifiers of the individuals on whom they are maintained.

Access:
    1. In accordance with national and locally established data 
security procedures, access to enrollment information databases (HEC 
Legacy system and the Enrollment Database) is controlled by unique 
entry codes (access and verification codes). The user's verification 
code is automatically set to be changed every 90 days. User access to 
data is controlled by role-based access as determined necessary by 
supervisory and information security staff as well as by management of 
option menus available to the employee. Determination of such access is 
based upon the role or position of the employee and functionality 
necessary to perform the employee's assigned duties.
    2. On an annual basis, employees are required to sign a computer 
access agreement acknowledging their understanding of confidentiality 
requirements. In addition, all employees receive annual privacy 
awareness and information security training. Access to electronic 
records is deactivated when no longer required for official duties. 
Recurring monitors are in place to ensure compliance with nationally 
and locally established security measures.
    3. User access to the VIC National Card Management Directory 
database utilizes the national NT network authentication 
infrastructure. The external VIC vendor utilizes the One-VA VPN secured 
connection for access to VIC records.
    4. Strict control measures are enforced to ensure that access to 
and disclosure from all records is limited to VA and the contractor's 
employees whose official duties warrant access to those files.
    5. As required by the provisions of the HIPAA Privacy Rule, 45 CFR 
Parts 160 and 164, access to records by HEC employees is classified 
under functional category ``Eligibility and Enrollment Staff.''

Safeguards:
    1. Data transmissions between VA health care facilities, the HEC, 
the AAC, Silver Spring, and Hines databases are accomplished using the 
Department's secure wide area network. The software programs 
automatically flag records or events for transmission based upon 
functional requirements. Server jobs at each facility run continuously 
to check for data to be transmitted and/or incoming data which needs to 
be parsed to files on the receiving end. All messages containing data 
transmissions include header information that is used for validation 
purposes. The recipients of the messages are controlled and/or assigned 
to the mail group based on their role or position. Consistency checks 
in the software are used to validate the transmission, and electronic 
acknowledgment messages are returned to the sending application. The 
Department's Office of Cyber Security has oversight responsibility for 
planning and implementing computer security.
    2. Working spaces and record storage areas at HEC, AAC, and the VIC 
processing locations are secured during all business hours, as well as 
during non-business hours. All entrance doors require an electronic 
pass card, for entry when unlocked, and entry doors are locked outside 
normal business hours. Visitors to the HEC are required to present 
identification, sign-in at a specified location and are issued a pass 
card that restricts access to non-sensitive areas. Visitors to the HEC 
are escorted by staff through restricted areas. At the end of the 
visit, visitors are required to turn in their badge. The building is 
equipped with an intrusion alarm system, which is activated during non-
business hours. This alarm system is monitored by a private security 
service vendor. The office space occupied by employees with access to

[[Page 15852]]

veteran records is secured with an electronic locking system, which 
requires a card for entry and exit of that office space. Access to the 
AAC is generally restricted to AAC staff, VA Central Office employees, 
custodial personnel, Federal Protective Service and authorized 
operational personnel through electronic locking devices. All other 
persons gaining access to the computer rooms are escorted.
    3. Access to the VIC contractor secured work areas is also 
controlled by electronic entry devices, which require a card and manual 
input for entry and exit of the production space. The VIC contractor's 
building is also equipped with an intrusion alarm system and a security 
service vendor monitors the system.
    4. Contract employees are required to sign a Business Associates 
Agreement (BAA) as required by the Health Insurance Portability and 
Accountability Act of 1996 as acknowledgement of mandatory provisions 
regarding the use and disclosure of protected health information. 
Employee and contractor access is deactivated when no longer required 
for official duties or upon termination of employment. Recurring 
monitors are in place to ensure compliance with nationally and locally 
established security measures.
    5. Beneficiary's enrollment and eligibility information is 
transmitted from the Enrollment and Eligibility information system to 
VA health care facilities over the Department's secure computerized 
electronic communications system.
    6. Only specific key staff have authorized access to the computer 
room. Programmer access to the information systems is restricted only 
to staff whose official duties require that level of access.
    7. On-line data reside on magnetic media in the HEC and AAC 
computer rooms that are highly secured. Backup media are stored in the 
computer room within the same building and only information system 
staff and designated management staff have access to the computer room. 
On a weekly basis, backup media are stored in off-site storage by a 
media storage vendor. The vendor picks up and returns the media in a 
locked storage container; vendor personnel do not have key access to 
the locked container. The AAC has established a backup plan for the 
Enrollment system as part of a required Certification and Accreditation 
of the information system.
    8. Any sensitive information that may be downloaded to personal 
computers or printed to hard copy format is provided the same level of 
security as the electronic records. All paper documents and informal 
notations containing sensitive data are shredded prior to disposal. All 
magnetic media (primary computer system) and personal computer disks 
are degaussed prior to disposal or release off-site for repair. The VIC 
contractor destroys all veteran identification data 30 days after the 
VIC card has been mailed to the veteran in accordance with contractual 
requirements.
    9. All new HEC employees receive initial information security and 
privacy training; refresher training is provided to all employees on an 
annual basis. The HEC's Information Security Officer performs an annual 
information security audit and periodic reviews to ensure security of 
the system. This annual audit includes the primary computer information 
system, the telecommunication system, and local area networks. 
Additionally, the IRS performs periodic on-site inspections to ensure 
the appropriate level of security is maintained for Federal tax data.
    10. Identification codes and codes used to access Enrollment and 
Eligibility information systems and records systems, as well as 
security profiles and possible security violations, are maintained on 
magnetic media in a secure environment at the Center. For contingency 
purposes, database back-ups on removable magnetic media are stored off-
site by a licensed and bonded media storage vendor.
    11. Contractors, subcontractors, and other users of the Enrollment 
and Eligibility Records systems will adhere to the same safeguards and 
security requirements to which HEC staff must comply.

Retention and Disposal:
    Regardless of the record medium, all records are disposed of in 
accordance with the records retention standards approved by the 
Archivist of the United States, National Archives and Records 
Administration, and published in the VHA Records Control Schedule 10-1.

System Manager(s) and Addresses:
    Official responsible for policies and procedures: Chief Business 
Officer (16), VA Central Office, 1722 I St., NW., Washington, DC 20420. 
Official maintaining the system: Director, Health Eligibility Center, 
2957 Clairmont Road, Atlanta, Georgia 30329.

Notification Procedure:
    Any individual who wishes to determine whether a record is being 
maintained in this system under his or her name or other personal 
identifier, or wants to determine the contents of such record, should 
submit a written request or apply in person to the Health Eligibility 
Center. All inquiries must reasonably identify the records requested. 
Inquiries should include the individual's full name, Social Security 
number, military service number, claim folder number and return 
address.

Record Access Procedures:
    Individuals seeking information regarding access to and contesting 
of Enrollment and Eligibility Records may write to the Director, Health 
Eligibility Center, 2957 Clairmont Road, Atlanta, Georgia 30329.

Contesting Record Procedures:
    (See Record Access procedures above).

Record Source Categories:
    Information in the systems of records may be provided by the 
applicant; applicant's spouse or other family members or accredited 
representatives or friends; health insurance carriers; other Federal 
agencies; ``Patient Medical Records--VA'' (24VA19) system of records; 
``Veterans Health Information System and Technology Architecture 
(VistA) Records--VA'' (79VA19); ``Income Verification Records--VA'' 
(89VA19); and Veterans Benefits Administration automated record 
systems, including ``Veterans and Beneficiaries Identification and 
Records Location Subsystem--VA'' (38VA23) and the ``Compensation, 
Pension, Education and Rehabilitation Records--VA'' (58VA21/22).

 [FR Doc. E8-5956 Filed 3-24-08; 8:45 am]
BILLING CODE 8320-01-P