Privacy Act of 1974, 16097-16103 [E8-6143]

Agencies

• DEPARTMENT OF VETERANS AFFAIRS

[Federal Register Volume 73, Number 59 (Wednesday, March 26, 2008)]
[Notices]
[Pages 16097-16103]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-6143]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974

AGENCY: Department of Veterans Affairs.

ACTION: Notice of Amendment of System of Records ``Health Care Provider 
Credentialing and Privileging Records--VA.''

-----------------------------------------------------------------------

SUMMARY: The Privacy Act of 1974 (5 U.S.C. 552(e)(4)) requires that all 
agencies publish in the Federal Register a notice of the existence and 
character of their systems of records. The Department of Veterans 
Affairs (VA) is amending the system of records, known as ``Health Care 
Provider Credentialing and Privileging Records--VA'' (77VA10Q) as set 
forth in the Federal Register 55 FR 30790 dated 12/6/01. VA is amending 
the system notice by revising the paragraphs on System Location, 
Categories of Records in the System, Routine Uses, System Manager(s) 
and Address, and Record Source Categories. VA is republishing the 
system notice in its entirety at this time.

DATES: Comments on the amendment of this system of records must be 
received no later than April 25, 2008. If no public comment is 
received, the new system will become effective April 25, 2008.

ADDRESSES: Written comments may be submitted through https://

[[Page 16098]]

www.Regulations.gov; by mail or hand-delivery to the Director, 
Regulations Management (00REG), Department of Veterans Affairs, 810 
Vermont Ave., NW., Room 1068, Washington, DC 20420; or by fax to (202) 
273-9026. Copies of comments received will be available for public 
inspection in the Office of Regulation Policy and Management, Room 
1063B, between the hours of 8 a.m. and 4:30 p.m. Monday through Friday 
(except holidays). Please call (202) 273-9515 for an appointment. In 
addition, during the comment period, comments may be viewed online 
through the Federal Docket Management System (FDMS).

FOR FURTHER INFORMATION CONTACT: Veterans Health Administration (VHA) 
Privacy Act Officer, Department of Veterans Affairs, 810 Vermont Ave., 
NW., Washington, DC 20420, (704) 245-2492.

SUPPLEMENTARY INFORMATION: VHA is responsible for providing medical 
care under chapter 17 of title 38 United States Code. As part of 
providing quality health care, VHA engages in the credentialing 
(verification of education, training, and qualifications) of the 
practitioners delivering this care. VHA has a centralized electronic 
data warehouse (VetPro) to store credentialing health care provider 
data and the images of the primary source verification of health care 
providers' credentials. The previously reported joint credentialing and 
privileging project between the VHA and the Department of Health and 
Human Services, Health Resources and Services Administration (DHHS/
HRSA) was terminated in October 2003, and the VetPro system in its 
entirety returned to VA.
    A secondary information source is one that provides credentialing 
data that are derived from a primary source, i.e., National 
Practitioner Data Bank (NPDB), Federation of State Medical Boards 
(FSMB), etc. The NPDB manages the Health Integrity and Protection Data 
Bank (HIPDB). The final regulations for the HIPDB are published in 45 
CFR part 61, which is a national health care fraud and abuse control 
program. It is a national data bank to receive and disclose certain 
final, adverse actions against health care practitioners, providers and 
suppliers. VHA queries the HIPDB for all new appointments as well as 
part of the re-privileging process for licensed independent 
practitioners previously-privileged by VHA in the form of a combined 
query with the NPDB. As a secondary information source, information 
obtained from the HIPDB may require additional supporting documentation 
either from a primary source or additional secondary sources for 
corroboration. To assure provider identification, and appropriate 
matching of information entered into an electronic system, VHA captures 
unique provider identifiers such as name, Social Security number, 
national provider identifier, and unique physician identification 
number that VHA uses to ensure the credentialing information is 
appropriately associated to the correct provider. In addition to 
capturing the national provider identifier (NPI), VA will capture the 
associated taxonomy codes.
    Validated credentialing information may be shared with other 
established data systems such as Veterans Information Systems 
Technology Architecture (VistA) and Decision Support System (DSS). The 
purpose of sharing credentialing information and associated data is to 
decrease the duplicative effort of both providers and staff in 
gathering the same information multiple times for inclusion in 
different databases used in VHA. These data are required for such 
activities as emergency medical responses in times of national 
disaster, telemedicine, and medical care cost recovery and will be 
disclosed only to the extent it is reasonably necessary to assist in 
the accomplishment of statutory or government-wide administrative 
mandates.
    Amendments to the System Location include that electronic records 
may be maintained by VHA Office of Quality and Performance (OQP), a 
component thereof, or contractor or subcontractor of VHA/OQP. The 
Category of Records in the System is amended to more clearly specify 
the accessing and reporting to the HIPDB, and the FSMB.
    Routine uses 17 and 18 are amended to incorporate querying and 
reporting obligations for the HIPDB. The System Manager(s) and 
Addresses are amended to reflect that records may be maintained by 
human resources management offices in addition to previously identified 
locations. The System Manager(s) and Addresses are also being amended 
to reflect the termination of the agreement between the DHHS/HRSA and 
VA/VHA in October 2003. Record Source Categories is being amended to 
include the HIPDB.
    Routine use 21 was added for the purpose of disclosure to OPP will 
determine that: (A) The disclosure does not violate legal or policy 
limitations under which the record was provided, collected, or 
obtained; (B) the study purpose (1) cannot be reasonably accomplished 
unless the record is provided in individually-identifiable form, and 
(2) warrants the risk to the privacy of the individual that additional 
exposure of the record might bring; and (C) the recipient has agreed 
that (1) it will establish (if it hasn't already) reasonable 
administrative, technical, and physical safeguards to prevent 
unauthorized use or disclosure of the record, (2) will remove or 
destroy the information that identifies the individual at the earliest 
time at which removal or destruction can be accomplished consistent 
with the purpose of the study, unless the recipient has presented 
adequate justification of a study or health nature for retaining such 
information, and (3) will make no further use or disclosure of the 
record except (a) in emergency circumstances affecting the health or 
safety of any individual, (b) for use in another study, under these 
same conditions, and only with prior written authorization of the 
Department, (c) for disclosure to a properly identified person for the 
purpose of an audit related to the study, if information that would 
enable veterans or their dependents to be identified is removed or 
destroyed at the earliest opportunity consistent with the purpose of 
the audit, or (d) when required by law. Prior to disclosure, OPP will 
secure a written statement attesting to the recipient's understanding 
of, and willingness to abide by, these provisions.
    Routine use 21 was added to disclose information to individuals, 
organizations, private or public agencies, or other entities or 
individuals with whom VA has a contract or agreement. Routine use 22 
was added in the event of mitigating risk and or harm.
    Routine use 23 was added to disclosure information to other Federal 
agencies in the event of assisting such agencies in preventing and 
detecting possible fraud or abuse by individuals in their operations 
and programs.
    An amendment was made to Routine use 8 to disclose information to 
the Department of Justice, either on VA's initiative or in response to 
DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that disclosure of the records to the 
DoJ is the use of the information is compatible with the purpose for 
which VA collected the records. Routine use 14 was amended to disclose 
information to officials of the Merit Systems Protection Board, or the 
Office of Special Counsel.

[[Page 16099]]

    VA is revising and updating the systems of record notice 77VA10Q, 
``Health Care Provider Credentialing and Privileging Records--VA.''
    The notice of intent to publish and an advance copy of the system 
notice have been sent to the appropriate Congressional committees and 
to the Director of the Office of Management and Budget (OMB) as 
required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB 
(61 FR 6428), February 20, 1996.

    Approved: March 12, 2008.
Gordon H. Mansfield,
Deputy Secretary of Veterans Affairs.
77VA10Q

SYSTEM NAME:
    Health Care Provider Credentialing and Privileging Records--VA.

SYSTEM LOCATION:
    Records are maintained at each Department of Veterans Affairs (VA) 
health care facility. Address locations for VA facilities are listed in 
VA Appendix 1 biennial publication of VA system of records. In 
addition, information from these records or copies of records may be 
maintained at the Department of Veterans Affairs, 810 Vermont Avenue, 
NW., Washington, DC 20420 and/or Veterans Integrated Service Network 
(VISN) Offices. Records for those health care providers who are 
contractors in a VA health care facility, or to VA for the delivery of 
health care to veterans and are credentialed by the contractor in 
accordance with Veterans Health Administration (VHA) policy, where 
credentialing information is received by VHA facilities, it will be 
maintained in accordance with this notice and VHA policy. Electronic 
copies of records may be maintained by VHA Office of Quality and 
Performance (OPQ), a component thereof, or a contractor or 
subcontractor of VHA/OQP. Back-up copies of the electronic data 
warehouse are maintained at off-site locations.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The records include information concerning health care providers 
currently or formerly employed or otherwise utilized by VHA and 
individuals who apply to VHA for employment and are considered for 
employment or appointment as health care providers. These records will 
include information concerning individuals who through a contractual or 
other agreement may be, or are, providing health care to VA patients. 
This may include, but is not limited to, audiologists, dentists, 
dietitians, expanded-function dental auxiliaries, licensed practical or 
vocational nurses, nuclear medicine technologists, nurse anesthetists, 
nurse practitioners, registered nurses, occupational therapists, 
optometrists, clinical pharmacists, licensed physical therapists, 
physician assistants, physicians, podiatrists, psychologists, 
registered respiratory therapists, certified respiratory therapy 
technicians, diagnostic and therapeutic radiology technologists, social 
workers, and speech pathologists.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records in the system consist of information related to:
    (1) The credentialing (the review and verification of an 
individual's qualifications for employment or utilization, which 
includes licensure, registration or certification, professional 
education and training, employment history, experience, appraisals of 
past performance, health status, etc.) of applicants who are considered 
for employment and/or appointment, for providing health services under 
a contract or other agreement, and/or for appointment to the 
professional staff at a VHA health care facility.
    (2) The privileging (the process of reviewing and granting or 
denying a provider's request for clinical privileges to provide medical 
or other patient care services, within well-defined limits, which are 
based on an individual's professional license, registration or 
certification, experience, training, competence, health status, 
ability, and clinical judgment) health care providers who are permitted 
by law and by the medical facility to provide patient care 
independently and individuals whose duties and responsibilities are 
determined to be beyond the normal scope of activities for their 
profession;
    (3) The periodic reappraisal of health care providers' professional 
credentials and the reevaluation of the clinical competence of 
providers who have been granted clinical privileges; and/or
    (4) Records generated as part or result of accessing and reporting 
to the National Practitioner Data Bank (NPDB), the Health Integrity and 
Protection Data Bank, and the Federation of State Medical Boards 
(FSMB).
    The records may include individually identifiable information 
(e.g., name, date of birth, gender, Social Security number, national 
provider number and associated taxonomy codes, and/or other personal 
identification number), address information (e.g., home and/or mailing 
address, home telephone number, e-mail address, facsimile number), 
biometric data, information related to education and training (e.g., 
name of medical or professional school attended and date of graduation, 
name of training program, type of training, dates attended, and date of 
completion). The records may also include information related to: the 
individual's license, registration or certification by a State 
licensing board and/or national certifying body (e.g., number, 
expiration date, name and address of issuing office, status including 
any actions taken by the issuing office or any disciplinary board to 
include previous or current restrictions, suspensions, limitations, or 
revocations); citizenship; honors and awards; type of appointment or 
utilization; service/product line; professional society membership; 
professional performance, experience, and judgment (e.g., documents 
reflecting work experience, appraisals of past and current performance 
and potential); educational qualifications (e.g., name and address of 
institution, level achieved, transcript, information related to 
continuing education); Drug Enforcement Administration and/or State 
controlled dangerous substance certification (e.g., current status, any 
revocations, suspensions, limitations, restrictions); information about 
mental and physical status; evaluation of clinical and/or technical 
skills; involvement in any administrative, professional or judicial 
proceedings, whether involving VA or not, in which professional 
malpractice on the individual's part is or was alleged; any actions, 
whether involving VA or not, which result in the limitation, reduction, 
revocation, or acceptance of surrender or restriction of the 
individual's clinical privileges; and, clinical performance information 
that is collected and used to support a determination of an 
individual's request for clinical privileges. Some information that is 
included in the record may be duplicated in an employee's official 
personnel folder.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 38 U.S.C. section 501(a) and section 7304(a)(2).

PURPOSE(S):
    The information may be used for: Verifying the individual's 
credentials and qualifications for employment or utilization, 
appointment to the professional staff, and/or clinical privileges; 
advising prospective health care entity employers, health care 
professional licensing or monitoring bodies, the NPDB, or similar 
entities or activities of individuals covered by this system; 
accreditation of a facility by an

[[Page 16100]]

entity such as the Joint Commission; audits, reviews and investigations 
conducted by staff of the health care facility, the Veterans Integrated 
Service Network (VISN) Directors and Division Offices, VA Central 
Office, VHA program offices, and the VA Office of Inspector General; 
law enforcement investigations; quality assurance audits, reviews and 
investigations; personnel management and evaluations; employee ratings 
and performance evaluations; and, employee disciplinary or other 
adverse action, including discharge. The records and information may be 
used for statistical analysis, to produce various management reports, 
evaluate services, collection, distribution and utilization of 
resources, and provide clinical and administrative support to patient 
medical care.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    1. A record from this system of records may be disclosed to any 
source from which additional information is requested (to the extent 
necessary to identify the individual, inform the source of the 
purpose(s) of the request, and to identify the type of information 
requested), when necessary to obtain information relevant to a 
Department decision concerning the hiring or retention of an employee, 
the issuance or reappraisal of clinical privileges, the issuance of a 
security clearance, the conducting of a security or suitability 
investigation of an individual, the letting of a contract, the issuance 
of a license, grant, or other benefits; or in response to scarce or 
emergency needs of the Department or other entities when specific 
skills are required.
    2. A record from this system of records may be disclosed to an 
agency in the executive, legislative, or judicial branch, or the 
District of Columbia's Government in response to its request, or at the 
initiation of VA, information in connection with the hiring of an 
employee, appointment to the professional staff, the issuance of a 
security clearance, the conducting of a security or suitability 
investigation of an individual, the letting of a contract, the issuance 
of a license, grant, or other benefit by the agency, or the lawful 
statutory or administrative purpose of the agency to the extent that 
the information is relevant and necessary to the requesting agency's 
decision; or at the initiative of VA, to the extent the information is 
relevant and necessary to an investigative purpose of the agency.
    3. Disclosure may be made to a Congressional office from the record 
or an individual in response to an inquiry from the Congressional 
office made at the request of that individual.
    4. Disclosure may be made to NARA (National Archives and Records 
Administration) in records management inspections conducted under 
authority of title 44 United States Code.
    5. Information from this system of records may be disclosed to a 
Federal agency or to a State or local government licensing board and/or 
to the Federation of State Medical Boards or a similar non-government 
entity which maintains records concerning individuals' employment 
histories or concerning the issuance, retention or revocation of 
licenses, certifications, or registration necessary to practice an 
occupation, profession or specialty, in order for the Department to 
obtain information relevant to a Department decision concerning the 
hiring, utilization, appointment, retention or termination of 
individuals covered by this system or to inform a Federal agency or 
licensing boards or the appropriate non-government entities about the 
health care practices of a currently employed, appointed, otherwise 
utilized, terminated, resigned, or retired health care employee or 
other individuals covered by this system whose professional health care 
activity so significantly failed to meet generally accepted standards 
of clinical practice as to raise reasonable concern for the safety of 
patients. These records may also be disclosed as part of an ongoing 
computer-matching program to accomplish these purposes.
    6. Information may be disclosed to non-Federal sector (i.e., State, 
or local governments) agencies, organizations, boards, bureaus, or 
commissions (e.g., the Joint Commission). Such disclosures may be made 
only when: (1) The records are properly constituted in accordance with 
VA requirements; (2) the records are accurate, relevant, timely, and 
complete; and (3) the disclosure is in the best interest of the 
Government (e.g., to obtain accreditation or other approval rating). 
When cooperation with the non-Federal sector entity, through the 
exchange of individual records, directly benefits VA's completion of 
its mission, enhances personnel management functions, or increases the 
public confidence in VA's or the Federal Government's role in the 
community, then the Government's best interests are served. Further, 
only such information that is clearly relevant and necessary for 
accomplishing the intended uses of the information as certified by the 
receiving entity is to be furnished.
    7. Information may be disclosed to a State or national certifying 
body which has the authority to make decisions concerning the issuance, 
retention or revocation of licenses, certifications or registrations 
required to practice a health care profession, when requested in 
writing by an investigator or supervisory official of the licensing 
entity or national certifying body for the purpose of making a decision 
concerning the issuance, retention or revocation of the license, 
certification or registration of a named health care professional.
    8. VA may disclose information in this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that disclosure of the records to the 
Department of Justice is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records. VA, on its own initiative, may disclose records in this system 
of records in legal proceedings before a court or administrative body 
after determining that the disclosure of the records to the court or 
administrative body is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records.
    9. Hiring, appointment, performance, or other personnel 
credentialing related information may be disclosed to any facility or 
agent with which there is, or there is proposed to be, an affiliation, 
sharing agreement, partnership, contract, or similar arrangement, where 
required for establishing, maintaining, or expanding any such 
relationship.
    10. Information concerning a health care provider's professional 
qualifications and clinical privileges may be disclosed to a VA 
patient, or the representative or guardian of a patient who due to 
physical or mental incapacity lacks sufficient understanding and/or 
legal capacity to make decisions concerning his/her medical care, who 
is receiving or contemplating receiving medical or other patient care 
services from the provider when the information is needed by the 
patient or the patient's representative or guardian in order to make a 
decision related to the initiation of treatment, continuation or 
discontinuation of treatment, or receiving a specific treatment that is 
proposed or planned by the provider. Disclosure will be limited to

[[Page 16101]]

information concerning the health care provider's professional 
qualifications (professional education, training and current licensure/
certification status), professional employment history, and current 
clinical privileges.
    11. VA may disclose on its own initiative any information in this 
system, except the names and home addresses of veterans and their 
dependents, which is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal or regulatory in nature and 
whether arising by general or program statute or by regulation, rule or 
order issued pursuant thereto, to a Federal, State, local or foreign 
agency charged with the responsibility of investigating or prosecuting 
such violation, or charged with enforcing or implementing the statute, 
regulation, rule or order. On its own initiative, VA may also disclose 
the names and addresses of veterans and their dependents to a Federal 
agency charged with the responsibility of investigating or prosecuting 
civil, criminal or regulatory violations of law, or charged with 
enforcing or implementing the statute, regulation, rule or order issued 
pursuant thereto.
    12. To disclose to the Federal Labor Relations Authority (including 
its General Counsel) information related to the establishment of 
jurisdiction, the investigation and resolution of allegations of unfair 
labor practices, or information in connection with the resolution of 
exceptions to arbitration awards when a question of material fact is 
raised; to disclose information in matters properly before the Federal 
Service Impasses Panel, and to investigate representation petitions and 
conduct or supervise representation elections.
    13. To disclose to the VA-appointed representative of an employee 
all notices, determinations, decision, or other written communications 
issued to the employee in connection with an examination ordered by VA 
under fitness-for-duty examination procedures or Agency-filed 
disability retirement procedures.
    14. To disclose information to officials of the Merit Systems 
Protection Board, when requested in connection with appeals, special 
studies of the civil service and other merit systems, review of rules 
and regulations, investigation of alleged or possible prohibited 
personnel practices, and such other functions, promulgated in 5 U.S.C. 
1205 and 1206, or as may be authorized by law.
    15. To disclose information to the Equal Employment Opportunity 
Commission when requested in connection with investigations of alleged 
or possible discriminatory practices, examination of Federal 
affirmative employment programs, or the other functions of the 
Commission as authorized by law or regulation.
    16. To disclose the information listed in 5 U.S.C. 7114(b)(4) to 
officials of labor organizations recognized under 5 U.S.C., chapter 71 
when relevant and necessary to their duties of exclusive representation 
concerning personnel policies, practices, and matters affecting working 
conditions.
    17. Identifying information in this system, including name, 
address, Social Security number and other information as is reasonably 
necessary to identify such individual, may be disclosed to the NPDB and 
the HIPDB at the time of hiring, appointment, utilization, and/or 
clinical privileging/reprivileging of physicians, dentists and other 
health care practitioners, and other times as deemed necessary by VA, 
in order for VA to obtain information relevant to a Department decision 
concerning the hiring, appointment, utilization, privileging/
reprivileging, retention or termination of the individual.
    18. Relevant information from this system of records may be 
disclosed to the NPDB, HIPDB, and/or State Licensing Board in the 
State(s) in which a practitioner is licensed, in which the VA facility 
is located, and/or in which an act or omission occurred upon which a 
medical malpractice claim was based when VA reports information 
concerning: (1) Any payment for the benefit of a physician, dentist, or 
other licensed health care practitioner which was made as the result of 
a settlement or judgment of a claim of medical malpractice if an 
appropriate determination is made in accordance with agency policy that 
payment was related to substandard care, professional incompetence or 
professional misconduct on the part of the individual; (2) a final 
decision which relates to possible incompetence or improper 
professional conduct that adversely affects the clinical privileges of 
a physician or dentist for a period longer than 30 days; or, (3) the 
acceptance of the surrender of clinical privileges or any restriction 
of such privileges by a physician or dentist either while under 
investigation by the health care entity relating to possible 
incompetence or improper professional conduct, or in return for not 
conducting such an investigation or proceeding. These records may also 
be disclosed as part of a computer-matching program to accomplish these 
purposes.
    19. In response to a request about a specifically identified 
individual covered by this system from a prospective Federal or non-
Federal health care entity employer, the following information may be 
disclosed: (a) Relevant information concerning the individual's 
professional employment history including the clinical privileges held 
by the individual; (b) relevant information concerning a final decision 
that results in a voluntary or involuntary limitation, reduction or 
loss of clinical privileges; and (c) relevant information concerning 
any payment that is made in settlement (or partial settlement) of, or 
in satisfaction of a judgment in, a medical malpractice action or claim 
and, when through a peer review process that is undertaken pursuant to 
VA policy, negligence, professional incompetence, responsibility for 
improper care, and/or professional misconduct has been assigned to the 
individual.
    20. Disclosure may be made to any Federal, State, local, tribal or 
private entity in response to a request concerning a specific provider 
for the purposes of credentialing providers who provide health care at 
multiple sites or move between sites. Such disclosures may be made only 
when: (1) The records are properly constituted in accordance with VA 
requirements; (2) the records are accurate, relevant, timely, and 
complete; and (3) disclosure is in the best interests of the Government 
(i.e., to meet the requirements of contracts, sharing agreements, 
partnerships, etc.). When exchange of credentialing information through 
the exchange of individual records, directly benefits VA's completion 
of its mission, enhances public confidence in VA's or Federal 
Government's role in the delivery of health care, then the best 
interests of the Government are served.
    21. Disclosure may be made to individuals, organizations, private 
or public agencies, or other entities or individuals with whom VA has a 
contract or agreement to perform such services as VA may deem 
practicable for the purposes of laws administered by VA, in order for 
the contractor, subcontractor, public or private agency, or other 
entity or individual with whom VA has an agreement or contract to 
perform the services of the contract or agreement. This routine use 
includes disclosures by the individual or entity performing the service 
for VA to any secondary entity or individual to perform an activity 
that is necessary for individuals, organizations, private or public 
agencies, or other entities or individuals with whom VA has a contract 
or agreement to provide the service to VA.

[[Page 16102]]

    22. VA may, on its own initiative, disclose any information or 
records to appropriate agencies, entities, and persons when (1) VA 
suspects or has confirmed that the integrity or confidentiality of 
information in the system of records has been compromised; (2) the 
Department has determined that as a result of the suspected or 
confirmed compromise there is a risk of embarrassment or harm to the 
reputations of the record subjects, harm to economic or property 
interests, identity theft or fraud, or harm to the security, 
confidentiality, or integrity of this system or other systems or 
programs (whether maintained by the Department or another agency or 
entity) that rely upon the potentially compromised information; and (3) 
the disclosure is to agencies, entities, or persons whom VA determines 
are reasonably necessary to assist or carry out the Department's 
efforts to respond to the suspected or confirmed compromise and 
prevent, minimize, or remedy such harm. This routine use permits 
disclosures by the Department to respond to a suspected or confirmed 
data breach, including the conduct of any risk analysis or provision of 
credit protection services as provided in 38 U.S.C. 5724, as the terms 
are defined in 38 U.S.C. 5727.
    23. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Records are maintained on paper documents or in electronic format. 
Information included in the record may be stored on microfilm, magnetic 
tape or disk. Records are maintained at the employing VHA health care 
facility. If the individual transfers to another VHA health care 
facility, the record is transferred to the new location, if 
appropriate.

RETRIEVABILITY:
    Records are retrieved by the names and Social Security number or 
other assigned identifiers, e.g., the National Provider Identifier 
(NPI), of the individuals on whom they are maintained.

SAFEGUARDS:
    1. Access to VA working and storage areas in VA health care 
facilities is restricted to VA employees on a ``need to know'' basis; 
strict control measures are enforced to ensure that disclosure to these 
individuals is also based on this same principle. Generally, VA file 
areas are locked after normal duty hours and the health care facilities 
are protected from outside access by the Federal Protective Service or 
other security personnel.
    2. Access to computer room within the health care facilities is 
generally limited by appropriate locking devices and restricted to 
authorized VA employees and vendor personnel. Automated data processing 
peripheral devices are generally placed in secure areas (areas that are 
locked or have limited access) or are otherwise protected. Information 
in the Veterans Information Systems Technology Architecture (VistA) 
system may be accessed by authorized VA employees. Access to file 
information is controlled at two levels; the system recognizes 
authorized employees by a series of individually unique passwords/codes 
as a part of each data message, and the employees are limited to only 
that information in the file that is needed in the performance of their 
official duties.
    3. Access to records in VA Central Office and the VISN directors 
and division offices is only authorized to VA personnel on a ``need-to-
know'' basis. There is limited access to the building with visitor 
control by security personnel.
    4. The automated system is Internet enabled and will conform to all 
applicable Federal Regulations concerning information security. The 
automated system is protected by a generalized security facility and by 
specific security techniques used within the application that accesses 
the data file and may include individually unique passwords/codes and 
may utilize Public Key Infrastructure (PKI) personal certificates. Both 
physical and system security measures will meet or exceed those 
required to provide an adequate level of protection for host systems. 
Access to file information is limited to only that information in the 
file that is needed in the performance of official duties. Access to 
computer rooms is restricted generally by appropriate locking devices 
to authorized operational personnel. Information submitted to the 
automated electronic system is afforded the same protections as the 
data that are maintained in the original files. Remote on-line access 
from other agencies to the data storage site is controlled in the same 
manner. Access to the electronic data is supported by encryption and 
the Internet server is insulated by a firewall.

RETENTION AND DISPOSAL:
    Paper records are retired to the VA Records Center and Vault (VA 
RC&V) 3 years after the individual separates from VA employment or when 
no longer utilized by VA (in some cases, records may be maintained at 
the facility for a longer period of time) and are destroyed 30 years 
after separation. Paper records for applicants who are not selected for 
VA employment or appointment are destroyed 2 years after non-selection 
or when no longer needed for reference, whichever is sooner. Electronic 
records are transferred to the Director, Credentialing and Privileging 
Program, Office of Quality and Performance, VA Central Office, when the 
provider leaves the facility. Information stored on electronic storage 
media is maintained and disposed of in accordance with records 
disposition authority approved by the Archivist of the United States.

SYSTEM MANAGER(S) AND ADDRESS:
    Official responsible for policies and procedures: Director, 
Credentialing and Privileging Program, Office of Quality and 
Performance (10Q), Veterans Health Administration, Department of 
Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420.
    Officials maintaining the system: (1) The chief of staff at the VA 
health care facility where the provider made application, is employed, 
or otherwise utilized; (2) the credentialing coordinator of the VA 
health care facility for individuals who made application for 
employment or other utilization, or providers currently or previously 
employed or otherwise utilized at; (3) human resources management 
offices of the VA health care facility for individuals who made 
application for employment or other utilization, or providers currently 
or previously employed or otherwise utilized; (4) VA Central Office or 
at a VISN location; The electronic data will be maintained by VHA/OQP, 
a component thereof, or a contractor or subcontractor of VHA/OQP.

NOTIFICATION PROCEDURE:
    Individuals who wish to determine whether this system of records 
contains information about them should contact the VA facility location 
at which they made application for employment or appointment, or are or 
were employed. Inquiries should include the employee's full name, 
Social Security number, date of application for employment or 
appointment or dates of employment or appointment, and return address.

[[Page 16103]]

RECORD ACCESS PROCEDURES:
    Individuals seeking information regarding access to and contesting 
of records in this system may write, call or visit the VA facility 
location where they made application for employment or appointment, or 
are or were employed.

CONTESTING RECORDS PROCEDURES:
    (See Record Access Procedures).

RECORD SOURCE CATEGORIES:
    Information in this system of records is provided by the applicant/
employee, or obtained from State licensing boards, Federation of State 
Medical Boards, National Council of State Boards of Nursing, National 
Practitioner Data Bank, Health Integrity and Protection Data Bank, 
professional societies, national certifying bodies, current or previous 
employers, other health care facilities and staff, references, 
educational institutions, medical schools, VA staff, patient, visitors, 
and VA patient medical records.
 [FR Doc. E8-6143 Filed 3-25-08; 8:45 am]
BILLING CODE 8320-01-P