Privacy Act of 1974; System of Records, 29818-29822 [2010-12758]

Agencies

• DEPARTMENT OF VETERANS AFFAIRS

[Federal Register Volume 75, Number 102 (Thursday, May 27, 2010)]
[Notices]
[Pages 29818-29822]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2010-12758]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of Amendment to System of Records.

-----------------------------------------------------------------------

SUMMARY: As required by the Privacy Act of 1974, 5 U.S.C. 552a(e), 
notice is hereby given that the Department of Veterans Affairs (VA) is 
amending the system of records currently entitled ``Veteran, Patient, 
Employee, and Volunteer Research and Development Project Records--VA'' 
(34VA12) as set forth in the Federal Register 40 FR 38095, dated August 
26, 1975 and last amended in 59 FR 16705, dated March 27, 2001. VA is 
amending the system by revising the System Location, Categories of 
Individuals Covered by the System, Categories of Records in the System, 
Purpose, Routine Uses of Records Maintained in the System, Storage, 
Safeguards, Retention and Disposal, and Records Sources Categories. VA 
is republishing the system notice in its entirety.

DATES: Comments on the amendment of this system of records must be 
received no later than June 28, 2010. If no public comment is received, 
the amended system will become effective June 28, 2010.

ADDRESSES: Written comments may be submitted through https://www.Regulations.gov; by mail or hand-delivery to Director, Regulations 
Management (02Reg), Department of Veterans Affairs, 810 Vermont Avenue, 
NW., Room 1068, Washington, DC 20420; or by fax to (202) 273-9026. 
Comments received will be available for public inspection in the Office 
of Regulation Policy and Management, Room 1063B, between the hours of 8 
a.m. and 4:30 p.m., Monday through Friday (except holidays). Please 
call (202) 461-4902 (this is not a toll-free number) for an 
appointment. In addition, during the comment period, comments may be 
viewed online through the Federal Docket Management System (FDMS) at 
https://www.Regulations.gov.

FOR FURTHER INFORMATION CONTACT: Veterans Health Administration (VHA) 
Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue, 
NW., Washington, DC 20420; telephone (704) 245-2492.

SUPPLEMENTARY INFORMATION: Categories of individuals covered by the 
system has been amended to add members of research committees or 
subcommittees. In addition research and development employees.
    Categories of records in the system has been amended to include 
electronic or other databases containing research information developed 
during a research project(s) or for future research; and research 
information systems such as the Research and Development Information 
System (RDIS). In addition, the purpose has been expanded to include 
the development programs within research.
    Routine use 9 has been amended in its entirety. Routine use 20 was 
added to disclose information to other Federal agencies that may be 
made to assist such agencies in preventing and detecting

[[Page 29819]]

possible fraud or abuse by individuals in their operations and 
programs. This routine use permits disclosures by the Department to 
report a suspected incident of identity theft and provide information 
and/or documentation related to or in support of the reported incident.
    Routine use 21 was added so that the VA may, on its own initiative, 
disclose any information or records to appropriate agencies, entities, 
and persons when (1) VA suspects or has confirmed that the integrity or 
confidentiality of information in the system of records has been 
compromised; (2) the Department has determined that as a result of the 
suspected or confirmed compromise, there is a risk of embarrassment or 
harm to the reputations of the record subjects, harm to economic or 
property interests, identity theft or fraud, or harm to the security, 
confidentiality, or integrity of this system or other systems or 
programs (whether maintained by the Department or another agency or 
entity) that rely upon the potentially compromised information; and (3) 
the disclosure is to agencies, entities, or persons whom VA determines 
are reasonably necessary to assist or carry out the Department's 
efforts to respond to the suspected or confirmed compromise and 
prevent, minimize, or remedy such harm. This routine use permits 
disclosures by the Department to respond to a suspected or confirmed 
data breach, including the conduct of any risk analysis or provision of 
credit protection services as provided in 38 U.S.C. 5724, as the terms 
are defined in 38 U.S.C. 5727.
    The Privacy Act permits the VA to disclose information about 
individuals without their consent for a routine use when the 
information will be used for a purpose that is compatible with the 
purpose for which we collected the information. In all of the routine 
use disclosures described above, the recipient of the information will 
use the information in connection with a matter relating to one of VA's 
programs, will use the information to provide a benefit to the VA, or 
disclosure is required by law.
    Under section 264, Subtitle F of Title II of the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA) Public Law 104-191, 
100 Stat. 1936, 2033-34 (1996), the United States Department of Health 
and Human Services (HHS) published a final rule, as amended, 
establishing Standards for Privacy of Individually-Identifiable Health 
Information, 45 CFR Parts 160 and 164. The VA Veterans Health 
Administration may not disclose individually identifiable health 
information (as defined in HIPAA and the Privacy Rule, 42 U.S.C. 
1320(d)(6) and 45 CFR 164.501) pursuant to a routine use unless either: 
(a) The disclosure is required by law, or (b) the disclosure is also 
permitted or required by the HHS Privacy Rule. The disclosures of 
individually-identifiable health information contemplated in the 
routine uses published in this amended system of records notice are 
permitted under the Privacy Rule or required by law. However, to also 
have authority to make such disclosures under the Privacy Act, VA must 
publish these routine uses. Consequently, VA is publishing these 
routine uses and is adding a preliminary paragraph to the routine uses 
portion of the system of records notice stating that any disclosure 
pursuant to the routine uses in this system of records notice must be 
either required by law or permitted by the Privacy Rule before VHA may 
disclose the covered information.
    The Report of Intent to Amend a System of Records Notice and an 
advance copy of the system notice have been sent to the appropriate 
Congressional committees and to the Director of the Office of 
Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy 
Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

    Approved: April 26, 2010.
John R. Gingrich,
Chief of Staff, Department of Veterans Affairs.
34VA12

SYSTEM NAME:
    ``Veteran, Patient, Employee, and Volunteer Research and 
Development Project Records--VA.''

SYSTEM LOCATION:
    Records are maintained at each VA health care facility where the 
research project was conducted, at VA facilities where research 
administration or oversight activities occur, and at VA Central Office 
(VACO). Address locations are listed in VA Appendix 1 of the biennial 
Privacy Act Issuance publication. In addition, records are maintained 
at contractor and fieldwork sites as studies are developed, data 
collected and reports written. A list of locations where individually 
identifiable data are currently located is available from the System 
Manager.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The following categories of individuals will be covered by this 
system: (1) Veterans; (2) patients; (3) employees; (4) volunteers who 
have indicated their willingness to be a participant in research 
projects being performed by VA, by a VA contractor or by another 
Federal agency in conjunction with VA; and (5) members of research 
committee or subcommittees, (6) research and development investigators, 
and research development employees.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Records, or information contained in records, vary according to the 
specific research involved or research related activity involved and 
may include: (1) Research on biomedical, prosthetic and health care 
services; (2) research stressing spinal cord injuries and diseases and 
other disabilities that tend to result in paralysis of the lower 
extremities; and (3) morbidity and mortality studies on former 
prisoners of war, (4) research related to injuries sustained while on 
active duty military service such as traumatic amputations, traumatic 
brain injury, and burns; (5) electronic or other databases containing 
research information developed during a research project(s) or for 
future research; (6) research information systems such as the Research 
and Development Information System (RDIS); (7) copies of medical 
records of research participants; (8) merit review of the research 
projects; (9) review and evaluation of proposed research; (10) 
continuing review and oversight of ongoing research; (11) evaluation of 
research committees, and (12) a review and evaluation of the research 
and development investigators and of the participants in the program. 
The review and evaluation information concerning the research and 
development investigators may include personal and educational 
background information as well as specific information concerning the 
type of research conducted. Invention records contain: a certification 
page, describing the place, time, research support related to the 
invention and co-inventors; Technology Transfer Program Invention 
Evaluation Sheet Internal or External Invention Assessment reports; 
Research and Development Information System (RDIS) reports or other 
research information system reports on research support related to the 
invention; Correspondence; and the Office of General Counsel Letter of 
Determination.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 38, United States Code, Section 7301.

[[Page 29820]]

PURPOSE(S):
    The records and information may be used to determine eligibility 
for research funding, to determine handling of intellectual properties, 
to manage proposed and/or approved research endeavors, and to evaluate 
the research and development program.

Routine uses of records maintained in the system, including categories 
of users and the purposes of such uses:
    To the extent that records contained in the system include 
information protected by 45 CFR parts 160 and 164, i.e., individually 
identifiable health information, and 38 U.S.C. 7332, i.e., medical 
treatment information related to drug abuse, alcoholism or alcohol 
abuse, sickle cell anemia or infection with the human immunodeficiency 
virus, that information cannot be disclosed under a routine use unless 
there is also specific statutory authority in 38 U.S.C. 7332 and 
regulatory authority in 45 CFR parts 160 and 164 permitting disclosure.
    1. Transfer of statistical and other data to Federal, State, and 
local government agencies and national health organizations to assist 
in the development of programs.
    2. VA may disclose on its own initiative any information in this 
system, except the names, home addresses, scrambled social security 
number, and social security number of veterans and their dependents, 
which is relevant to a suspected or reasonably imminent violation of 
law, whether civil, criminal or regulatory in nature and whether 
arising by general or program statute or by regulation, rule or order 
issued pursuant thereto, to a Federal, State, local, tribal, or foreign 
agency charged with the responsibility of investigating or prosecuting 
such violation, or charged with enforcing or implementing the statute, 
regulation, rule or order. On its own initiative, VA may also disclose 
the names, scrambled social security number, and social security number 
addresses of veterans and their dependents to a Federal agency charged 
with the responsibility of investigating or prosecuting civil, criminal 
or regulatory violations of law, or charged with enforcing or 
implementing the statute, regulation, rule or order issued pursuant 
thereto unless a Certificate of Confidentiality has been issued for the 
research by the National Institutes of Health under section 301(d) of 
the Public Health Service Act (42 U.S.C. 241(d)).
    3. Disclosure may be made to a congressional office from the record 
of an individual in response to an inquiry from the congressional 
office made at the request of that individual.
    4. Disclosure may be made to National Archives and Records 
Administration (NARA), General Services Administration (GSA) in records 
management inspections conducted under authority of 44 United States 
Code.
    5. Disclosure of medical record data, excluding name, address, 
scrambled social security number, and social security number (unless 
name, address, scrambled social security number, and social security 
number is furnished by the requester) for research purposes determined 
to be necessary and proper, to epidemiological and other research 
facilities approved by the Under Secretary for Health.
    6. In order to conduct Federal research necessary to accomplish a 
statutory purpose of an agency, at the written request of the head of 
the agency, or designee of the head of that agency, the name(s) and 
address(es) of present or former personnel of the Armed Services and/or 
their dependents may be disclosed (a) to a Federal department or agency 
or (b) directly to a contractor of a Federal department or agency. When 
a disclosure of this information is to be made directly to the 
contractor, VA may impose applicable conditions on the department, 
agency or contractor to ensure the appropriateness of the disclosure to 
the contractor.
    7. In order to conduct VA research, names, addresses, and social 
security numbers may be disclosed to other Federal and state agencies 
for the purpose of the Federal or state agency disclosing information 
on the individuals back to VA.
    8. Upon request for research project data from VA approved 
research, the following information will be released to the general 
public, including governmental and non-governmental agencies and 
commercial organizations: Project title and number; name and 
educational degree of principal investigator unless the release of this 
information would place the investigator at risk (physical, 
professional, etc.); VHA medical center location; type (initial, 
progress, or final) and date of last report; name and educational 
degree of associate investigators unless the release of this 
information would place the investigator at risk (physical, 
professional, etc.); project abstract if the project is ongoing, and 
project summary if the project has been completed. In addition, upon 
specific request, keywords and indexing codes will be included for each 
project.
    9. Upon request for information regarding VA employees conducting 
research, the following information will be released to the general 
public, including governmental agencies and commercial organizations: 
Name and educational degree of investigator; VHA title; academic 
affiliation and title; hospital service; primary and secondary 
specialty areas and subspecialty unless the release of this information 
would place the investigator at risk (physical, professional, etc.).
    10. A record from this system of records may be disclosed to a 
Federal agency, state or local government licensing board and/or to the 
Federation of State Medical Boards or a similar non-government entity, 
upon its request for use in the issuance of a security clearance, the 
investigation of an employee, the letting of a contract, or the 
issuance of a license, grant or other benefit by the requesting agency, 
to the extent that the information is relevant and necessary to the 
requesting that organization's decision on the matter.
    11. Identifying information in this system, including name, 
address, social security number and other information as is reasonably 
necessary to identify such individual, may be disclosed to the National 
Practitioner Data Bank at the time of hiring or clinical privileging/
reprivileging of health care practitioners, and other times as deemed 
necessary by VA, in order for VA to obtain information relevant to a 
Department decision concerning the hiring, privileging/reprivileging, 
retention or termination of the applicant or employee.
    12. Relevant information from this system of records may be 
disclosed to the National Practitioner Data Bank and State Licensing 
Board in the States in which a practitioner is licensed, in which the 
VA facility is located, or in which an act or omission occurred upon 
which a medical malpractice claim was based when VA reports information 
concerning: (a) Any payment for the benefit of a physician, dentist, or 
other licensed health care practitioner which was made as the result of 
a settlement or judgment of a claim of medical malpractice of an 
appropriate determination is made in accordance with agency policy that 
payment was related to substandard care, professional incompetence or 
professional misconduct on the part of the individual; (b) a final 
decision which relates to possible incompetence or improper 
professional conduct that adversely affects the clinical privileges of 
a physician or dentist for a period longer than 30 days; or, (c) the 
acceptance of the surrender of clinical privileges or any restriction 
of such privileges by a physician or dentist either while under 
investigation by the

[[Page 29821]]

health care entity relating to possible incompetence or improper 
professional conduct, or in return for not conducting such an 
investigation or proceeding. These records may also be disclosed as 
part of a computer matching program to accomplish these purposes.
    13. Information concerning individuals who have submitted research 
program proposals for funding, including the investigator's name, 
social security number, research qualifications and the investigator's 
research proposal, may be disclosed to qualified reviewers for their 
opinion and evaluation of the applicants and their proposals as part of 
the application review process.
    14. VA may disclose information from this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
each case, the agency also determines prior to disclosure that release 
of the records to DoJ is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records. VA, on its own initiative, may disclose records in this system 
of records in legal proceedings before a court or administrative body 
after determining that the disclosure of the records to the court or 
administrative body is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records.
    15. Any invention information in this system may be disclosed to 
affiliated intellectual property partners to aid in the possible use, 
interest in, or ownership rights in VA intellectual property.
    16. VA may disclose information concerning merit review of 
proposals submitted by an individual to the individual except that 
information concerning a third party, such as the name or other 
identifying information about the qualified reviewer of the proposal.
    17. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    18. VA may, on its own initiative, disclose any information or 
records to appropriate agencies, entities, and persons when (1) VA 
suspects or has confirmed that the integrity or confidentiality of 
information in the system of records has been compromised; (2) the 
Department has determined that as a result of the suspected or 
confirmed compromise there is a risk of embarrassment or harm to the 
reputations of the record subjects, harm to economic or property 
interests, identity theft or fraud, or harm to the security, 
confidentiality, or integrity of this system or other systems or 
programs (whether maintained by the Department or another agency or 
entity) that rely upon the potentially compromised information; and (3) 
the disclosure is to agencies, entities, or persons whom VA determines 
are reasonably necessary to assist or carry out the Department's 
efforts to respond to the suspected or confirmed compromise and 
prevent, minimize, or remedy such harm. This routine use permits 
disclosures by the Department to respond to a suspected or confirmed 
data breach, including the conduct of any risk analysis or provision of 
credit protection services as provided in 38 U.S.C. 5724, as the terms 
are defined in 38 U.S.C. 5727.
    19. Disclosure of relevant information may be made to individuals, 
organizations, private or public agencies, or other entities with whom 
VA has a contract or agreement or where there is a subcontract to 
perform such services as VA may deem practicable for the purposes of 
laws administered by VA, in order for the contractor or subcontractor 
to perform the services of the contract or agreement.

Disclosure to consumer reporting agencies:
    Reports of all transactions dealing with data will be used within 
VA and will not be provided to any consumer-reporting agency.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    (1) Paper documents (2) Microscope slides (3) Magnetic tape or disk 
or other electronic media (4) Photographs and (5) Microfilm.

RETRIEVABILITY:
    Records are retrieved by individual identifiers and indexed by a 
specific project site or location, project number, or under the name of 
the research or development investigator.

SAFEGUARDS:
    This list of safeguards furnished in this System of Record is not 
an exclusive list of measures that has been, or will be, taken to 
protect individually-identifiable information. VHA will maintain the 
data in compliance with applicable VA security policy directives that 
specify the standards that will be applied to protect sensitive 
personal information. Physical Security: Access to VA working space and 
medical record storage areas is restricted to VA employees on a ``need 
to know'' basis.
    Generally, VA file areas are locked after normal duty hours and 
protected from outside access by the Federal Protective Service. 
Employee file records and file records of public figures or otherwise 
sensitive medical record files are stored in separate locked files. 
Strict control measures are enforced to ensure that disclosure is 
limited to a ``need to know'' basis.
    Access to a contractor's records and their system of computers used 
with the particular project are available to authorized personnel only. 
Records on investigators stored on automated storage media are 
accessible by authorized VA personnel via VA computers or computer 
systems. They are required to take annual VA mandatory data privacy and 
security training. Security complies with applicable Federal 
Information Processing Standards (FIPS) issued by the National 
Institute of Standards and Technology (NIST). Contractors and their 
subcontractors who access the data are required to maintain the same 
level of security as VA staff.

RETENTION AND DISPOSAL:
    The records contained in this system have not been scheduled and 
will be kept indefinitely until such time as they are. The records may 
not be destroyed until VA obtains an approved records disposition 
authority from the Archivist of the United States.

SYSTEM MANAGER(S) AND ADDRESS:
    Director of Operations, Research and Development (12), Department 
of Veterans Affairs, 810 Vermont Ave., NW., Washington, DC 20420.

NOTIFICATION PROCEDURE:
    Interested persons should write to: Director of Operations, 
Research and Development (12), Department of Veterans Affairs, 810 
Vermont Ave., NW., Washington, DC 20420. All inquiries must reasonably 
identify the project and site location; date of project and team 
leader.

RECORD ACCESS PROCEDURE:
    Individuals seeking information regarding access to and contesting 
of records in this system may write, call or visit the VA facility 
location where they made application for employment or are or were 
employed.

CONTESTING RECORD PROCEDURES:
    (See Record Access Procedures above.)

[[Page 29822]]

RECORD SOURCE CATEGORIES:
    (1) Patients and patient records (2) employees and volunteers (3) 
other Federal agencies (4) National Institutes of Health (5) Centers 
for Disease Control (Atlanta, Georgia) (6) individual veterans (7) 
other VA systems of records (8) research and development investigators, 
and (9) research and development databases.

[FR Doc. 2010-12758 Filed 5-26-10; 8:45 am]
BILLING CODE P