Privacy Act Of 1974; System of Records, 70365-70369 [2010-28950]

Agencies

• DEPARTMENT OF VETERANS AFFAIRS

[Federal Register Volume 75, Number 221 (Wednesday, November 17, 2010)]
[Notices]
[Pages 70365-70369]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2010-28950]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act Of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of Amendment to System of Records.

-----------------------------------------------------------------------

SUMMARY: As required by the Privacy Act of 1974, 5 U.S.C. 552a(e), 
notice is hereby given that the Department of Veterans Affairs (VA) is 
amending the system of records currently entitled ``My HealtheVet 
Administrative Records--VA'' 130VA19 as set forth in the Federal 
Register 193 FR 59991. VA is amending the system by revising the 
Routine Uses of Records Maintained in the System and the Categories of 
Records in the System, Location, and Purpose. VA is republishing the 
system notice in its entirety.

DATES: Comments on the amendment of this system of records must be 
received no later than December 17, 2010. If no public comment is 
received, the amended system will become effective December 17, 2010.

ADDRESSES: Written comments may be submitted through https://www.Regulations.gov; by mail or hand-delivery to Director, Regulations 
Management (02REG), Department of Veterans Affairs, 810 Vermont Avenue, 
NW., Room 1068, Washington, DC 20420; or by fax to (202) 273-9026. 
Comments received will be available for public inspection in the Office 
of Regulation Policy and Management, Room 1063B, between the hours of 8 
a.m. and 4:30 p.m., Monday through Friday (except holidays). Please 
call (202) 461-4902 (this is not a toll-free number) for an 
appointment. In addition, during the comment period, comments may be 
viewed online through the Federal Docket Management System (FDMS) at 
https://www.Regulations.gov.

FOR FURTHER INFORMATION CONTACT: Veterans Health Administration (VHA) 
Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue, 
NW., Washington, DC 20420; telephone (704) 245-2492.

SUPPLEMENTARY INFORMATION:
    Background: My HealtheVet (MHV) is a web-based personal health 
record

[[Page 70366]]

system that provides Veterans with information and tools that they can 
use to increase their knowledge about health conditions, increase 
communication with their care providers and improve their own health. 
Level one Veterans (who have a MHV account hosted behind the VA 
firewall which follows VA approved guidelines for user name and strong 
password) are able to access health education tools and resources, 
create and maintain a secure comprehensive personal health record, and 
request VA prescription refills online. Authenticated level two 
Veterans are able to receive electronic copies of their health 
information, view VA wellness reminders, communicate with their 
providers through secure messaging, and access a number of other 
functions and options related to their health maintenance and health 
information. VA also provides, through a web-based environment, a 
secure and private health space where Veterans can enter their own 
personal and medical information in a ``self-entered'' health 
information section.
    Electronic copies of health information are not considered VA 
authoritative records, nor are they considered part of the VA system of 
records once they are downloaded into the Veteran's secure and private 
health space. The Veteran's self-entered health information is also 
owned and maintained by the Veteran in the My HealtheVet secure and 
private health space and is not by itself a part of the VA's system of 
records. This self-entered health information may be included in the 
Veteran's official VA electronic health record upon the Veteran's 
request and/or upon VA's determination that it is appropriate to 
include it in the official medical record.
    Certain applications of My HealtheVet may generate or result in 
data and information that is included in another VA system of records, 
such as secure messages which are generated from the My HealtheVet 
application but are included in 24VA19 system of records due to the 
potential for clinically relevant information to be contained within a 
secure message. Administrative data associated with such applications 
will be included in the My HealtheVet Administrative Records--VA system 
of records.
    Certain applications of My HealtheVet may interface with other VA 
maintained programs or applications to allow communication from the 
Veteran to the specific application or program, such as eBenefits 
applications, a VA/DoD joint portal. Certain administrative data may be 
maintained by My HealtheVet as a result of these applications or 
exchanges; however, the VA maintained program or application receiving 
the information will maintain the authoritative information of record.
    My HealtheVet may also be used, upon permission from the Veteran, 
as a Health Information Exchange point, between a VA approved agency or 
organization and the Veteran's personal health record.
    VA does not provide access to the Veteran's personal health 
information maintained in My HealtheVet in any situation, including 
medical emergency situations. If a non-VA health care provider requires 
information from VA medical records to treat a Veteran patient, the 
non-VA health care provider must obtain the Veteran's consent to 
release information and contact the VA facility where the Veteran 
patient was last treated to obtain information.
    Delegation of My HealtheVet will allow Veterans to share all or 
part of the information in their account with other individuals that 
they designate, such as family members, and VA and non-VA health care 
providers.
    In order to administer the My HealtheVet program and support the 
provision of the above benefits to Veterans, VHA retains administrative 
information, including personally identifiable information on users of 
My HealtheVet. In addition, VHA houses the patient's self-entered 
information in a separate database, but the administrative and patient 
data files can be linked. This administrative information is stored in 
the My HealtheVet Administrative Records System, and constitutes a 
separate system of records.

I. Description of Proposed System of Records

    The My HealtheVet Administrative Records System contains 
administrative information created or collected during the course of 
operating My HealtheVet, and is provided by Veterans and other 
qualified individuals, their delegates and grantees, Veterans Health 
Information Systems and Technology Architecture (VistA) IT systems, VA 
employees, contractors, and subcontractors. At this time, the My 
HealtheVet program is planning to maintain minimal administrative 
records at each local facility, while maintaining more comprehensive 
administrative records at a central location, VA National Data Center 
or VA Health Data Warehouse Repository. The records kept locally 
support the local VA My HealtheVet training programs and applications, 
and VA's annual reporting requirements under the Freedom of Information 
Act (FOIA) for those Veterans who request electronic access to copies 
of key portions of their health records.
    The more comprehensive repository of administrative information is 
maintained at a central location. This information is used to support 
My HealtheVet electronic services, such as requests for prescription 
refill, co-payment and appointment information, entry of personal 
health metrics, and Veteran requests for electronic copies of their 
health information. This information may also be used for business 
administrative reports for system operators and VA managers to ensure 
that the My HealtheVet system is meeting performance expectations and 
being used within legal boundaries.
    The information needed to support My HealtheVet program activities 
and electronic services includes such information as: the person's full 
name; My HealtheVet User ID; date of birth; e-mail address; telephone 
number; social security number; mother's maiden name; zip code; place 
and date of registration for My HealtheVet electronic record access; 
delegate and grantee user IDs associated with My HealtheVet users; 
level of access to My HealtheVet electronic services; date and type of 
transaction; patient integration control number (ICN); and other 
administrative data needed for My HealtheVet roles and services.

II. Proposed Routine Use Disclosures of Data in the System

    We are proposing to establish the following Routine Use disclosures 
of information maintained in the system:
    6. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    This routine use permits disclosures by the Department to report a 
suspected incident of identity theft and provide information or 
documentation related to or in support of the reported incident.
    7. VA may, on its own initiative, disclose any information or 
records to appropriate agencies, entities, and persons when (1) VA 
suspects or has confirmed that the integrity or confidentiality of 
information in the system of records has been compromised; (2) the 
Department has determined that as a result of the suspected or 
confirmed compromise, there is a risk of embarrassment or harm to the 
reputations of the record subjects, harm to economic or property 
interests, identity theft or fraud, or harm to the security, 
confidentiality, or integrity of this system or other systems or 
programs (whether maintained by the

[[Page 70367]]

Department or another agency or disclosure is to agencies, entities, or 
persons whom VA determines are reasonably necessary to assist or carry 
out the Department's efforts to respond to the suspected or confirmed 
compromise and prevent, minimize, or remedy such harm. This routine use 
permits disclosures by the Department to respond to a suspected or 
confirmed data breach, including the conduct of any risk analysis or 
provision of credit protection services as provided in 38 U.S.C. 5724, 
as the terms are defined in 38 U.S.C. 5727.
    8. Disclosure of administrative data including information about My 
HealtheVet use and user transactions accomplished via the Web site may 
be provided to approved VA research investigators with VA Institutional 
Review Board (IRB) approval. Disclosure of this information to research 
investigators will allow VA to evaluate the value of the My HealtheVet 
for purposes of system modification and improvement, and for purposes 
of promoting patient self-management of health and improved health 
outcomes.

III. Compatibility of the Proposed Routine Uses

    The Privacy Act permits VA to disclose information about 
individuals without their consent for a routine use when the 
information, in this case administrative information, will be used for 
a purpose that is compatible with the purpose for which VA collected 
it. In all of the routine use disclosures described above, either the 
recipient of the administrative information will use the information in 
connection with the My HealtheVet program, a matter relating to one of 
VA's programs to provide a benefit to VA, or to meet legal requirements 
for disclosure.
    The Report of Intent to Amend a System on Records Notice and an 
advance copy of the system notice have been sent to the appropriate 
Congressional committees and to the Director of the Office of 
Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy 
Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

    Approved: November 1, 2010.
John R. Gingrich,
Chief of Staff, Department of Veterans Affairs.
130VA19

SYSTEM NAME:
    ``My HealtheVet Administrative Records--VA''

SYSTEM LOCATION:
    Veterans Health Administration (VHA) local facilities, VA National 
Data Centers, and VA Health Data Repository (HDR) located at the VA 
National Data Centers. Address locations for VA facilities are listed 
in VA Appendix 1 of the biennial publications of the VA systems of 
records.

Categories of individuals covered by the system:
    Individuals covered encompass: (1) All individuals who successfully 
register for a My HealtheVet account and whose identity has been 
verified; (2) Representatives of the above individuals who have been 
provided grantee or delegate access to My HealtheVet including, but not 
limited to, family members, friends, or VA and non-VA health care 
providers; (3) VA health care providers and certain administrative 
staff; (4) VHA Information Technology (IT) staff and/or their approved 
contractors who may need to enter identifying, administrative 
information into the system to initiate, support and maintain 
electronic services for My HealtheVet participants; and (5) VA 
researchers fulfilling VA required authorization procedures.

Categories of records in the system:
    The records include personally identifiable information, such as an 
individual's full name; My HealtheVet User Identifier (ID); date of 
birth; social security number; e-mail address; telephone number; 
mother's maiden name; ZIP code; place and date of registration for My 
HealtheVet; delegate and grantee user IDs associated with My HealtheVet 
accounts; level of access to My HealtheVet electronic services; date 
and type of transaction; web analytics for the purpose of monitoring 
site usage, patient internal control number (ICN); and other 
administrative data needed for My HealtheVet roles and services.

Authority for maintenance of the system:
    Title 38, United States Code, Sec.  501.

PURPOSE(S):
    The information in the My HealtheVet Administrative Records is 
needed to operate the My HealtheVet program, including but not limited 
to registration and verification of the Veteran's identity or to 
register and authenticate those who have legal authority to participate 
in lieu of the Veteran, to assign and verify administrators of the My 
HealtheVet portal, to retrieve the Veteran's information to perform 
specific functions, allow access to specific information and provide 
other associated My HealtheVet electronic services in current and 
future applications of the My HealtheVet program. The administrative 
information may also be used to create administrative business reports 
for system operators and VA managers who are responsible for ensuring 
that the My HealtheVet system is meeting performance expectations, and 
is in compliance with applicable Federal laws and regulations. 
Administrative information may also be used for evaluation to support 
program improvement, including VA approved research studies.

Routine uses of records maintained in the system, including categories 
of users and the purposes of such uses:
    To the extent that records contained in the system include 
information protected by 45 CFR Parts 160 and 164, i.e., individually 
identifiable health information, and 38 U.S.C. 7332, i.e., medical 
treatment information related to drug abuse, alcoholism or alcohol 
abuse, sickle cell anemia or infection with the human immunodeficiency 
virus, that information cannot be disclosed under a routine use unless 
there is also specific statutory authority in 38 U.S.C. 7332 and 
regulatory authority in 45 CFR Parts 160 and 164 permitting disclosure.
    1. Disclosure of information in this system of records may be made 
to private or public sector organizations, individuals, agencies, etc., 
with whom VA has a contract or agreement, including subcontractors, in 
order to administer the My HealtheVet program, or perform other such 
services as VA deems appropriate and practical for the purposes of 
administering VA laws.
    2. VA may disclose on its own initiative any information in the 
system, except the names and home addresses of Veterans and their 
dependents, that is relevant to a suspected or reasonably imminent 
violation of the law whether civil, criminal, or regulatory in nature 
and whether arising by general or program statute or by regulation, 
rule, or order issued pursuant thereto, to a Federal, state, local, 
tribal, or foreign agency charged with the responsibility of 
investigating or prosecuting such violation, or charged with enforcing 
or implementing the statute, regulation, rule, or order. VA may also 
disclose on its own initiative the names and addresses of veterans and 
their dependents to a Federal agency charged with the responsibility of 
investigating or prosecuting civil, criminal, or regulatory violations 
of law, or charged with enforcing or implementing the statute, 
regulation, or order issued pursuant thereto.

[[Page 70368]]

    3. Disclosure may be made to National Archives and Records 
Administration (NARA) and the General Services Administration (GSA) to 
support its records management inspections responsibilities and its 
role as Archivist of the United States under authority of title 44 
United States Code (U.S.C).
    4. Any information in this system of records may be disclosed to 
the United States Department of Justice or United States Attorneys in 
order to prosecute or defend litigation involving or pertaining to the 
United States, or in which the United States has an interest.
    5. Disclosure may be made to a congressional office from the record 
of an individual in response to an inquiry from the congressional 
office made at the request of that individual.
    6. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    7. Disclosure of information may be made when (1) it is suspected 
or confirmed that the integrity or confidentiality of information in 
the system of records has been compromised; (2) the Department has 
determined that as a result of the suspected or confirmed compromise 
there is a risk of embarrassment or harm to the reputations of the 
record subjects, harm to economic or property interests, identity theft 
or fraud, or harm to the security or integrity of this system or other 
systems or programs (whether maintained by the Department or another 
agency or entity) that rely upon the compromised information; and (3) 
the disclosure is to agencies, entities, and persons whom VA determines 
are reasonably necessary to assist or carry out the Department's 
efforts to respond to the suspected or confirmed compromise and 
prevent, minimize, or remedy such harm. This routine use permits 
disclosure by the Department to respond to a suspected or confirmed 
data breach, including the conduct of any risk analysis or confirmed 
data breach, including the conduct of any risk analysis or provision of 
credit protection services as provided in 38 U.S.C. 5724, as the terms 
are defined in 38 U.S.C. 5727.
    8. Disclosure of information may be made to VA to approved 
researchers to enhance, advance and promote both the function and the 
content of the My HealtheVet application.

Policies and practices for storing, retrieving, accessing, retaining, 
and disposing of records in the system:
Storage:
    These administrative records are maintained on paper and electronic 
media, including hard drive disks, which are backed up to tape at 
regular intervals.

Retrievability:
    Records may be retrieved by an individual's name, user ID, date of 
registration for My HealtheVet electronic services, zip code, the VA 
assigned ICN, date of birth and/or social security number, if provided.

Safeguards:
    1. Access to and use of the My HealtheVet Administrative Records 
are limited to those persons whose official duties require such access; 
VA has established security procedures to ensure that access is 
appropriately limited. Information security officers and system data 
stewards review and authorize data access requests. VA regulates data 
access with security software that authenticates My HealtheVet 
administrative users and requires individually unique codes and 
passwords. VA provides information security training to all staff and 
instructs staff on the responsibility each person has for safeguarding 
data confidentiality. VA regularly updates security standards and 
procedures that are applied to systems and individuals supporting this 
program.
    2. Physical access to computer rooms housing the My HealtheVet 
Administrative Records is restricted to authorized staff and protected 
by a variety of security devices. Unauthorized employees, contractors, 
and other staff are not allowed in computer rooms. The Federal 
Protective Service or other security personnel provide physical 
security for the buildings housing computer systems and data centers.
    3. Data transmissions between operational systems and My HealtheVet 
Administrative Records maintained by this system of records are 
protected by telecommunications software and hardware as prescribed by 
VA standards and practices. This includes firewalls, encryption, and 
other security measures necessary to safeguard data as it travels 
across the VA-Wide Area Network.
    4. Copies of back-up computer files are maintained at secure off-
site locations.

Retention and disposal:
    Records are maintained and disposed of in accordance with the 
records disposition authority approved by the Archivist of the United 
States. Records from this system that are needed for audit purposes 
will be disposed of 6 years after a user's account becomes inactive. 
Routine records will be disposed of when the agency determines they are 
no longer needed for administrative, legal, audit, or other operational 
purposes. These retention and disposal statements are pursuant to NARA 
General Records Schedules GRS 20, item 1c and GRS 24, item 6a.

System manager(S) and address:
    Official responsible for policies and procedures: Deputy Chief 
Information Officer for Health (19), Department of Veterans Affairs, 
810 Vermont Avenue, NW., Washington, DC 20420. Officials maintaining 
this system of records: The local VA facility (Address locations for VA 
facilities are listed in VA Appendix 1 of the biennial publications of 
the VA systems of records) and the Chief, Technical Infrastructure 
Division (31), Austin Automation Center, 1615 Woodward Street, Austin, 
Texas 78772.

Notification procedure:
    Individuals who wish to determine whether a record is being 
maintained under their name in this system or wish to determine the 
contents of such records have two options:
    1. Submit a written request or apply in person to the VA facility 
where the records are located. VA facility location information can be 
found in the Facilities Locator section of VA's Web site at https://www.va.gov; or
    2. Submit a written request or apply in person to the Chief of the 
Technical Infrastructure Division (31), Austin Automation Center, 1615 
Woodward Street, Austin, Texas 78772.
    Inquiries should include the person's full name, user ID, date of 
birth and return address.

Record access procedure:
    Individuals seeking information regarding access to and contesting 
of records in this system may write or call their local VA facility 
and/or the Chief of the Technical Infrastructure Division (31), Austin 
Automation Center, 1615 Woodward Street, Austin, Texas 78772, or call 
(512) 326-6780 to reach the VA Austin Automation Center Help Desk speak 
with the Chief of the Technical Infrastructure Division.

Contesting record procedures:
    (See Record Access Procedures above).

Record source categories:
    The sources of information for this system of records include the

[[Page 70369]]

individuals covered by this notice and an additional contributor, as 
listed below:
    (1) All individuals who successfully register for a My HealtheVet 
account;
    (2) Representatives of the above individuals who have been provided 
access to the private health space by the Veteran user, including but 
not limited to, family members, friends, or VA and non-VA health care 
providers;
    (3) VA health care providers;
    (4) VHA IT staff and/or their contractors and subcontractors who 
may need to enter information into the system to initiate, support and 
maintain My HealtheVet electronic services for My HealtheVet users;
    (5) VistA systems and
    (6) VA researchers fulfilling VA required authorization procedures 
(see VHA Handbook 1200.01 https://www1.va.gov/vhapublications/ViewPublication.asp?pub_ID=2038).

[FR Doc. 2010-28950 Filed 11-16-10; 8:45 am]
BILLING CODE 8320-01-P