Privacy Act of 1974, 66806-66812 [2013-26520]

Agencies

• DEPARTMENT OF VETERANS AFFAIRS

[Federal Register Volume 78, Number 215 (Wednesday, November 6, 2013)]
[Notices]
[Pages 66806-66812]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2013-26520]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of a New System of Records.

-----------------------------------------------------------------------

SUMMARY: The Privacy Act of 1974 (5 U.S.C. 552(e) (4)) requires all 
agencies publish in the Federal Register a notice of the existence and 
character of their systems of records. Notice is hereby given that the 
Department of Veterans Affairs (VA) is establishing a new system of 
records titled ``VA Mobile Application Environment (MAE)-VA'' 
(173VA005OP2).

DATES: Comments on this new system of records must be received no later 
than December 6, 2013. If no public comment is received during the 
period allowed for comment or unless otherwise published in the Federal 
Register by VA, the new system will become effective December 6, 2013.

ADDRESSES: Written comments concerning the proposed amended system of 
records may be submitted by: Mail or hand-delivery to Director, 
Regulations Management (02REG), Department of Veterans Affairs, 810 
Vermont Avenue NW, Room 1068, Washington, DC 20420; fax to (202) 273-
9026; or email to https://www.Regulations.gov. All comments received 
will be available for public inspection in the Office of Regulation 
Policy and Management, Room 1063B, between the hours of 8:00 a.m. and 
4:30 p.m., Monday through Friday (except holidays). Please call (202) 
461-4902 for an appointment. (This is not a toll-free number.)

FOR FURTHER INFORMATION CONTACT: Veterans Health Administration (VHA) 
Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue 
NW., Washington, DC 20420 or by telephone at (704) 245-2492.

SUPPLEMENTARY INFORMATION: 

[[Page 66807]]

I. Description of Proposed Systems of Records

    The MAE contains the core set of records to be used to support VA 
efforts to expand its technology into the mobile and Web-based 
application domain as well as facilitate utilization of applications 
and systems directly by patients and VA customers. The proposed system 
of records contains information on Veterans, Veteran beneficiaries, 
Veteran caregivers, members of the Armed Forces, and other VA customers 
in addition to VA-authorized users. VA-authorized users are VA 
employees, VA contractors, VA volunteers, and other individuals with 
permission to access VA Information Technology (IT) systems. These data 
are stored in VA resources, accessible to authorized users through 
applications utilizing services available in VA's MAE middle tier 
service layer (the VA Health Adapter). These records will be used in 
the provision of health care and benefits by VA. The records contain 
information that will be directly updated by Veterans, Veteran 
beneficiaries, Veteran caregivers, members of the Armed Forces, 
Reserves and National Guard, other VA customers, and VA-authorized 
users, such as demographics (e.g., name, social security number, 
physical address, phone number, email address), health-related 
information (e.g., vital signs, allergies, medications, health-related 
history, health assessments), benefits-related information, information 
provided to VA for the potential provision of services and benefits, 
military history and service, preferences for authorizing the sharing 
of their health information (e.g., electronic surrogate authorizations, 
electronic surrogate revocations). The records may include identifiers 
such as VA's integration control number. The records include 
information provided by Veterans and their beneficiaries or caregivers, 
members of the Armed Forces, Reserves or National Guard, VA employees, 
other VA-authorized users (e.g., Department of Defense), and 
information from VA computer systems and databases including, but not 
limited to, Veterans Health Information Systems and Technology 
Architecture (VistA)-VA (79VA10P2), National Patient Databases-VA 
(121VA10P2), VA Medical Centers (VAMC), Federal and non-Federal 
Veterans Lifetime Electronic Records (VLER)/eHealth Exchange partners, 
and the Department of Defense (DoD).
    The purpose of the system of records is to provide a repository for 
the clinical and administrative information that is collected, 
retrieved, or displayed from within a VA mobile or Web application. The 
purpose of use will include, but not be limited to: Health care 
treatment information, disability adjudication, and benefits to the 
Veteran both within the VAMC and in sharing with partners who are 
participating through the eHealth Exchange in VA's Mobile pilots and 
subsequent public and enterprise roll-out of new applications. Data may 
also be used at an aggregate, non-personally identifiable level to 
track and evaluate local or national health and benefits initiatives 
and preventative-care measures, such as detecting outbreaks of flu or 
other diseases, detection of antibiotic resistance bacteria, etc. The 
data may be used for such purposes as scheduling patient treatment 
services, including nursing care, clinic appointments, surveys, 
diagnostic and therapeutic procedures. The data may also be used for 
the purpose of health care operations such as: Producing various 
management and patient follow-up reports; responding to patients and 
other inquiries for epidemiological research and other health care-
related studies, statistical analysis, resource allocation and 
planning; providing clinical and administrative support to patient 
medical care; determining entitlement and eligibility for VA benefits; 
processing and adjudicating benefit claims by Veterans Benefits 
Administration Regional Office (VARO) staff, for audits, reviews, and 
investigations conducted by staff of VA Central Office, and VA's Office 
of Inspector General (OIG); sharing of health information between and 
among VHA, DoD, Indian Health Services (IHS), and other Government and 
private industry health care organizations; law enforcement 
investigations; quality assurance audits, reviews, and investigations; 
personnel management and evaluation; employee ratings and performance 
evaluations; and employee disciplinary or other adverse action, 
including discharge; advising health care professional licensing or 
monitoring bodies or similar entities of activities of VA and former VA 
health care personnel.

II. Proposed Routine Use Disclosures of Data in the System

    To the extent that records contained in the system include 
information protected by 38 United States Code (U.S.C.) 7332 (e.g., 
medical treatment information related to drug abuse, alcoholism or 
alcohol abuse, sickle cell anemia or infection with the human 
immunodeficiency virus). That information cannot be disclosed under a 
routine use unless there is also specific statutory authority 
permitting disclosure.
    VHA is proposing the following routine use disclosures of 
information to be maintained in the system:
    1. On its own initiative, VA may disclose information, except for 
the names and home addresses of Veterans and their dependents, to a 
Federal, state, local, tribal, or foreign agency charged with the 
responsibility of investigating or prosecuting civil, criminal, or 
regulatory violations of law, or charged with enforcing or implementing 
the statute, regulation, rule, or order issued pursuant thereto. On its 
own initiative, VA may also disclose the names and addresses of 
Veterans and their dependents to a Federal agency charged with the 
responsibility of investigating or prosecuting civil, criminal, or 
regulatory violations of law, or charged with enforcing or implementing 
the statute, regulation, rule, or order issued pursuant thereto. VA 
must be able to comply with the requirements of agencies charged with 
enforcing the law and conducting investigations. VA must also be able 
to provide information to state or local agencies charged with 
protecting the public's health as set forth in state law.
    2. Disclosure may be made to any source from which additional 
information is requested (to the extent necessary to identify the 
individual, inform the source of the purpose(s) of the request, and to 
identify the type of information requested), when necessary to obtain 
information relevant to an individual's eligibility, care history, or 
other benefits.
    3. Disclosure may be made to an agency in the executive, 
legislative, or judicial branch, or the District of Columbia's 
government in response to its request or at the initiation of VA, in 
connection with disease tracking, patient outcomes, or other health 
information required for program accountability.
    4. The record of an individual who is covered by a system of 
records may be disclosed to a Member of Congress or a staff person 
acting for the Member, when the Member or staff person requests the 
record on behalf of and at the written request of the individual. 
Individuals sometimes request the help of a Member of Congress in 
resolving some issues relating to a matter before VA. The Member of 
Congress then writes to VA, and VA must be able to give sufficient 
information to give response to the inquiry.
    5. Disclosure may be made to the National Archives and Records 
Administration (NARA) and the General Services Administration (GSA) in

[[Page 66808]]

records management inspections conducted under authority of Title 44, 
Chapter 29, of the United States Code. NARA and GSA are responsible for 
the management of old records no longer actively used, but which may be 
appropriate for preservation, and for the physical maintenance of the 
Federal Government's records. VA must be able to provide the records to 
NARA and GSA in order to determine the proper disposition of such 
records.
    6. VA may disclose information from this system of records to the 
Department of Justice (DOJ), either on VA's initiative or in response 
to DOJ's request for the information, after either VA or DOJ determines 
that such information is relevant to DOJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that release of the records to DOJ is a 
use of the information contained in the records that is compatible with 
the purpose for which VA collected the records. VA, on its own 
initiative, may disclose records in this system of records in legal 
proceedings before a court or administrative body after determining 
that the disclosure of the records to the court or administrative body 
is a use of the information contained in the records that is compatible 
with the purpose for which VA collected the records.
    7. Records from this system of records may be disclosed to inform a 
Federal agency, licensing boards, or the appropriate non-Government 
entities about the health care practices of a terminated, resigned, or 
retired health care employee whose professional health care activity so 
significantly failed to conform to generally accepted standards of 
professional medical practice as to raise reasonable concern for the 
health and safety of patients receiving medical care in the private 
sector or from another Federal agency.
    8. Disclosure may be made to a national certifying body which has 
the authority to make decisions concerning the issuance, retention, or 
revocation of licenses, certifications or registrations required to 
practice a health care profession, when requested in writing by an 
investigator or supervisory official of the national certifying body 
for the purpose of making a decision concerning the issuance, 
retention, or revocation of the license, certification, or registration 
of a named health care professional. VA must be able to report 
information regarding the care a health care practitioner provides to a 
national certifying body charged with maintaining the health and safety 
of patients by making a decision about a health care professional's 
license, certification, or registration, such as issuance, retention, 
revocation, or other actions such as suspension.
    9. Disclosure may be made to officials of labor organizations 
recognized under 5 U.S.C. Chapter 71, when relevant and necessary to 
their duties of exclusive representation concerning personnel policies, 
practices, and matters affecting working conditions.
    10. Disclosure may be made to the VA-appointed representative of an 
employee all notices, determinations, decisions, or other written 
communications issued to the employee in connection with an examination 
ordered by VA under medical evaluation (formerly fitness-for-duty) 
examination procedures or Department-filed disability retirement 
procedures.
    11. VA may disclose information to officials of the Merit Systems 
Protection Board (MSPB) or the Office of Special Counsel (OSC), when 
requested in connection with appeals, special studies of the civil 
service and other merit systems, review of rules and regulations, 
investigation of alleged or possible prohibited personnel practices, 
and such other functions, promulgated in 5 U.S.C. 1205 and 1206, or as 
authorized by law.
    12. VA may disclose information to the Equal Employment Opportunity 
Commission (EEOC) when requested in connection with investigations of 
alleged or possible discriminatory practices, examination of Federal 
affirmative employment programs, or for other functions of the 
Commission as authorized by law or regulation. VA must be able to 
provide information to the Commission to assist it in fulfilling its 
duties to protect employees' rights, as required by statute and 
regulation.
    13. VA may disclose to the Fair Labor Relations Authority (FLRA) 
(including its General Counsel) information related to the 
establishment of jurisdiction, the investigation and resolution of 
allegations of unfair labor practices, or information in connection 
with the resolution of exceptions to arbitration awards when a question 
of material fact is raised; to disclose information in matters properly 
before the Federal Services Impasse Panel (FSIP) and to investigate 
representation petitions and conduct or supervise representation 
elections. VA must be able to provide information to FLRA to comply 
with the statutory mandate under which it operates.
    14. Disclosure of medical record data, excluding name and address, 
unless name and address are furnished by the requester, may be made to 
epidemiological and other research facilities for research purposes 
determined to be necessary and proper when approved in accordance with 
VA policy.
    15. Disclosure of names and addresses of present or former 
personnel of the Armed Forces and/or their dependents, may be made to: 
(a) A Federal department or agency, at the written request of the head 
or designee of that agency; or (b) directly to a contractor or 
subcontractor of a Federal department or agency, for the purpose of 
conducting Federal research necessary to accomplish a statutory purpose 
of an agency. When disclosure of this information is made directly to a 
contractor, VA may impose applicable conditions on the department, 
agency, and/or contractor to ensure the appropriateness of the 
disclosure to the contractor.
    16. Disclosures of relevant information may be made to individuals, 
organizations, private or public agencies, or other entities with whom 
VA has a contract or agreement or where there is a subcontract to 
perform the services as VA may deem practicable for the purposes of 
laws administered by VA, in order for the contractor or subcontractor 
to perform the services of the contract or agreement. This routine use 
includes disclosures by the individual or entity performing the service 
for VA to any secondary entity or individual to perform an activity 
that is necessary for individuals, organizations, private or public 
agencies, or other entities or individuals with whom VA has a contract 
or agreement to provide the service to VA.
    17. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    18. VA may, on its own initiative, disclose any information or 
records to appropriate agencies, entities, and persons when (1) VA 
suspects or has confirmed that the integrity or confidentiality of 
information in the system of records has been compromised; (2) the 
Department has determined that, as a result of the suspected or 
confirmed compromise, there is a risk of embarrassment or harm to the 
reputations of the record subjects, harm to economic or property 
interests, identity theft or fraud, or harm to the security, 
confidentiality, or integrity of this system or other systems or 
programs (whether maintained by the Department or another agency), or 
disclosure is to agencies, entities, or persons whom VA determines are

[[Page 66809]]

reasonably necessary to assist or carry out the Department's efforts to 
respond to the suspected or confirmed compromise and prevent, minimize, 
or remedy such harm. This routine use permits disclosures by the 
Department to respond to a suspected or confirmed data breach, 
including the conduct of any risk analysis or provision of credit 
protection services as provided in 38 U.S.C. 5724, as the terms are 
defined in 38 U.S.C. 5727.
    19. VA may disclose any information to another covered entity that 
is a Government agency administering a Government program providing 
public benefits if the programs serve the same or similar populations 
as VA, and the disclosure of information is necessary to coordinate the 
functions of such programs or to improve administration and management 
relating to the functions of such programs.
    20. VA may disclose health care information to a non-VA health care 
provider, such as private health care providers or hospitals, DoD, or 
IHS providers, for the purpose of treating VA patients. To better 
facilitate medical care and treatment for Veterans, VA must be prepared 
to share health information between VHA, DoD, IHS, and other government 
health care organizations.
    21. VA may disclose information to a former VA employee or 
contractor, as well as the authorized representative of a current or 
former employee or contractor of VA, in pending or reasonably 
anticipated litigation against the individual regarding health care 
provided during the period of his or her employment or contract with 
VA.

III. Compatibility of the Proposed Routine Uses

    The Privacy Act permits VA to disclose information about 
individuals without their consent for a routine use when the 
information will be used for a purpose that is compatible with the 
purpose for which VA collected the information. In all of the routine 
use disclosures described above, either the recipient of the 
information will use the information in connection with a matter 
relating to one of VA's programs, to provide a benefit to the VA, or to 
disclose information as required by law.
    Under section 264, Subtitle F of Title II of the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA) Public Law 104-191, 
100 Stat. 1936, 2033-34 (1996), the United States Department of Health 
and Human Services (HHS) published a final rule, as amended, 
establishing Standards for Privacy of Individually-Identifiable Health 
Information, 45 CFR Parts 160 and 164. VHA may not disclose 
individually identifiable health information (as defined in HIPAA and 
the Privacy Rule, 42 U.S.C. 1320(d)(6) and 45 CFR 164.501) pursuant to 
a routine use unless either: (a) the disclosure is required by law, or 
(b) the disclosure is also permitted or required by HHS' Privacy Rule. 
The disclosures of individually-identifiable health information 
contemplated in the routine uses published in this amended system of 
records notice are permitted under the Privacy Rule or required by law. 
However, to also have authority to make such disclosures under the 
Privacy Act, VA must publish these routine uses. Consequently, VA is 
publishing these routine uses and is adding a preliminary paragraph to 
the routine uses portion of the system of records notice stating that 
any disclosure pursuant to the routine uses in this system of records 
notice must be either required by law or permitted by the Privacy Rule, 
before VHA may disclose the covered information.
    The notice of intent to publish and an advance copy of the system 
notice have been sent to the appropriate Congressional committees and 
to the Director, Office of Management and Budget (OMB), as required by 
5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 
77677), December 12, 2000.

    Approved: October 9, 2013.
Jose D. Riojas,
Chief of Staff, Department of Veterans Affairs.
173VA005OP2

SYSTEM NAME:
    VA Mobile Application Environment (MAE)-VA

SYSTEM LOCATION:
    Records are maintained at VA Contracted Service Provider, 
Terremark, at 18155 Technology Drive, Culpeper, VA 22701-3805.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The records contain information on Veterans, Veteran beneficiaries, 
Veteran caregivers, members of the Armed Forces, Reserves and National 
Guard, and other VA customers in addition to VA authorized users (e.g., 
VA employees, VA contractors, VA volunteers, and other individuals 
permitted VA have access to VA IT systems).

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records may include information related to data entered through 
Web and mobile applications developed and maintained by VA, accessed 
and updated by the individuals covered by the system as well as by VA-
authorized users. The records may contain information, such as 
demographics (e.g., name, social security numbers, physical address, 
phone number, email address), health-related information (e.g., vital 
signs, allergies, medications, health-related history, health 
assessments), benefit-related information, information provided to VA 
for the potential provision of services and benefits, military history 
and services, preferences for authorizing the sharing of their health 
information (e.g., electronic surrogate authorizations, electronic 
surrogate revocations). The records may include identifiers such as 
VA's integration control number. The information will be primarily 
benefits and health-related but may include other information such as 
customer-entered updates to demographic information.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 38, United States Code, Section 501.

PURPOSE(S):
    The records and information will be used to provide a repository 
for the clinical and administrative information that is collected, 
retrieved, or displayed from within a VA mobile or Web application. The 
purpose of use will include, but not be limited to, health care 
treatment information, disability adjudication, and benefits to the 
Veteran both within the VA Medical Center and in sharing with partners 
who are participating through the eHealth Exchange in VA's Mobile 
pilots and subsequent public and enterprise roll-out of new 
applications. Data may also be used at an aggregate, non-personally 
identifiable level to track and evaluate local or national health and 
benefits initiatives and preventative-care measures, such as detecting 
outbreaks of flu or other diseases, detection of antibiotic resistance 
bacteria, etc. These data may be used for such purposes as scheduling 
patient treatment services, including nursing care, clinic 
appointments, surveys, diagnostic, and therapeutic procedures. These 
data may also be used for the purpose of health care operations, such 
as producing various management and patient follow-up reports; 
responding to patient and other inquiries; for epidemiological research 
and other health care-related studies; statistical analysis, resource 
allocation and planning; providing clinical and administrative support 
to patient medical care; determining entitlement and eligibility for VA

[[Page 66810]]

benefits; processing and adjudicating benefit claims by Veterans 
Benefits Administration Regional Office staff; for audits, reviews, and 
investigations conducted by staff of VA Central Office and VA's OIG; 
sharing of health information between and among VHA, DoD, IHS, and 
other Government and private industry health care organizations; law 
enforcement investigations; quality assurance audits, reviews, and 
investigations; personnel management and evaluation; employee ratings 
and performance evaluations; and employee disciplinary or other adverse 
action, including discharge; advising health care professional 
licensing or monitoring bodies or similar entities of activities of VA 
and former VA health care personnel.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    To the extent that records contained in the system include 
information protected by 38 U.S.C. 7332, (e.g., medical treatment 
information related to drug abuse, alcoholism or alcohol abuse, sickle 
cell anemia or infection with the human immunodeficiency virus), that 
information cannot be disclosed under a routine use unless there is 
also specific statutory authority permitting disclosure.
    1. On its own initiative, VA may disclose information, except for 
the names and home addresses of Veterans and their dependents, to a 
Federal, state, local, tribal, or foreign agency charged with the 
responsibility of investigating or prosecuting civil, criminal, or 
regulatory violations of law, or charged with enforcing or implementing 
the statute, regulation, rule, or order issued pursuant thereto. On its 
own initiative, VA may also disclose the names and addresses of 
Veterans and their dependents to a Federal agency charged with the 
responsibility of investigating or prosecuting civil, criminal, or 
regulatory violations of law, or charged with enforcing or implementing 
the statute, regulation, rule, or order issued pursuant thereto.
    2. Disclosure may be made to any source from which additional 
information is requested (to the extent necessary to identify the 
individual, inform the source of the purpose(s) of the request), and to 
identify the type of information requested), when necessary to obtain 
information relevant to an individual's eligibility, care history, or 
other benefits.
    3. Disclosure may be made to an agency in the executive, 
legislative, or judicial branch, or the District of Columbia's 
government in response to its request or at the initiation of VA, in 
connection with disease tracking, patient outcomes or other health 
information required for program accountability.
    4. The record of an individual who is covered by a system of 
records may be disclosed to a Member of Congress, or a staff person 
acting for the Member, when the Member or staff person requests the 
record on behalf of and at the written request of the individual.
    5. Disclosure may be made to NARA and GSA in records management 
inspections conducted under authority of Title 44, Chapter 29, of the 
United States Code.
    6. VA may disclose information from this system of records to DOJ, 
either on VA's initiative or in response to DOJ's request for the 
information, after either VA or DOJ determines that such information is 
relevant to DOJ's representation of the United States or any of its 
components in legal proceedings before a court or adjudicative body, 
provided that, in each case, the agency also determines prior to 
disclosure that release of the records to DOJ is a use of the 
information contained in the records that is compatible with the 
purpose for which VA collected the records. VA, on its own initiative, 
may disclose records in this system of records in legal proceedings 
before a court or administrative body after determining that the 
disclosure of the records to the court or administrative body is a use 
of the information contained in the records that is compatible with the 
purpose for which VA collected the records.
    7. Records from this system of records may be disclosed to inform a 
Federal agency, licensing boards, or the appropriate non-Government 
entities about the health care practices of a terminated, resigned, or 
retired health care employee whose professional health care activity so 
significantly failed to conform to generally-accepted standards of 
professional medical practice as to raise reasonable concern for the 
health and safety of patients receiving medical care in the private 
sector or from another Federal agency.
    8. Disclosure may be made to a national certifying body which has 
the authority to make decisions concerning the issuance, retention, or 
revocation of licenses, certifications or registrations required to 
practice a health care profession, when requested in writing by an 
investigator or supervisory official of the national certifying body 
for the purpose of making a decision concerning the issuance, 
retention, or revocation of the license, certification, or registration 
of a named health care professional.
    9. Disclosure may be made to officials of labor organizations 
recognized under 5 U.S.C. Chapter 71, when relevant and necessary to 
their duties of exclusive representation concerning personnel policies, 
practices, and matters affecting working conditions.
    10. Disclosure may be made to the VA-appointed representative of an 
employee all notices, determinations, decisions, or other written 
communications issued to the employee in connection with an examination 
ordered by VA under medical evaluation (formerly fitness-for-duty) 
examination procedures or Department-filed disability retirement 
procedures.
    11. VA may disclose information to officials of MSPB or OSC, when 
requested in connection with appeals, special studies of the civil 
service and other merit systems, review of rules and regulations, 
investigation of alleged or possible prohibited personnel practices, 
and such other functions, promulgated in 5 U.S.C. 1205 and 1206, or as 
authorized by law.
    12. VA may disclose information to EEOC when requested in 
connection with investigations of alleged or possible discriminatory 
practices, examination of Federal affirmative employment programs, or 
for other functions of the Commission as authorized by law or 
regulation.
    13. VA may disclose to FLRA (including its General Counsel) 
information related to the establishment of jurisdiction, 
investigation, and resolution of allegations of unfair labor practices, 
or information in connection with the resolution of exceptions to 
arbitration awards when a question of material fact is raised to 
disclose information in matters properly before the Federal Services 
Impasse Panel and to investigate representation petitions and conduct 
or supervise representation elections.
    14. Disclosure of medical record data, excluding name and address, 
unless name and address is furnished by the requester, may be made to 
epidemiological and other research facilities for research purposes 
determined to be necessary and proper when approved in accordance with 
VA policy.
    15. Disclosure of names and addresses of present or former 
personnel of the Armed Forces, and/or their dependents, may be made to: 
(a) a Federal department or agency, at the written request of the head 
or designee of that agency; or (b) directly to a contractor or 
subcontractor of a Federal department or agency, for the purpose of 
conducting

[[Page 66811]]

Federal research necessary to accomplish a statutory purpose of an 
agency. When disclosure of this information is made directly to a 
contractor, VA may impose applicable conditions on the department, 
agency, and/or contractor to ensure the appropriateness of the 
disclosure to the contractor.
    16. Disclosures of relevant information may be made to individuals, 
organizations, private or public agencies, or other entities with whom 
VA has a contract or agreement or where there is a subcontract to 
perform the services as VA may deem practicable for the purposes of 
laws administered by VA, in order for the contractor or subcontractor 
to perform the services of the contract or agreement. This routine use 
includes disclosures by the individual or entity performing the service 
for VA to any secondary entity or individual to perform an activity 
that is necessary for individuals, organizations, private or public 
agencies, or other entities or individuals with whom VA has a contract 
or agreement to provide the service to VA.
    17. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    18. VA may, on its own initiative, disclose any information or 
records to appropriate agencies, entities, and persons when (1) VA 
suspects or has confirmed that the integrity or confidentiality of 
information in the system of records has been compromised; (2) the 
Department has determined that as a result of the suspected or 
confirmed compromise, there is a risk of embarrassment or harm to the 
reputations of the record subjects, harm to economic or property 
interests, identity theft or fraud, or harm to the security, 
confidentiality, or integrity of this system or other systems or 
programs (whether maintained by the Department or another agency or 
disclosure is to agencies, entities, or persons whom VA determines are 
reasonably necessary to assist or carry out the Department's efforts to 
respond to the suspected or confirmed compromise and prevent, minimize, 
or remedy such harm. This routine use permits disclosures by the 
Department to respond to a suspected or confirmed data breach, 
including the conduct of any risk analysis or provision of credit 
protection services as provided in 38 U.S.C. 5724, as the terms are 
defined in 38 U.S.C. 5727.
    19. VA may disclose any information to another covered entity that 
is a Government agency administering a Government program providing 
public benefits if the programs serve the same or similar populations 
as VA, and the disclosure of information is necessary to coordinate the 
functions of such programs or to improve administration and management 
relating to the functions of such programs.
    20. VA may disclose health care information to a non-VA health care 
provider, such as private health care providers or hospitals, DoD, or 
IHS providers, for the purpose of treating VA patients.
    21. VA may disclose information to a former VA employee or 
contractor, as well as the authorized representative of a current or 
former employee or contractor of VA, in pending or reasonably 
anticipated litigation against the individual regarding health care 
provided during the period of his or her employment or contract with 
VA.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Records are maintained on electronic storage media including 
magnetic tape, disk, and laser optical media.

RETRIEVABILITY:
    Records may be retrieved by name, social security number, VA's 
integration control number, or other assigned identifiers of the 
individuals for whom they are maintained.

SAFEGUARDS:
    1. Access to and use of national administrative databases, 
warehouses, and data marts are limited to those persons whose official 
duties require such access, and VA has established security procedures 
to ensure that access is appropriately limited. Information security 
officers and system data stewards review and authorize data access 
requests. VA regulates data access with security software that 
authenticates users and requires individually-unique codes and 
passwords. VA requires information security training for all staff and 
instructs staff on the responsibility each person has for safeguarding 
data confidentiality.
    2. Physical access to computer rooms housing national 
administrative databases, warehouses, and data marts is restricted to 
authorized staff and protected by a variety of security devices. 
Unauthorized employees, contractors, and other staff are not allowed in 
computer rooms.
    3. Data transmissions between operational systems and national 
administrative databases, warehouses, and data marts maintained by this 
system of record are protected by state-of-the-art telecommunication 
software and hardware. This may include firewalls, intrusion detection 
devices, encryption, and other security measures necessary to safeguard 
data as it travels across the VA-Wide Area Network.
    4. In most cases, copies of back-up computer files are maintained 
at off-site locations.

RETENTION AND DISPOSAL:
    Records from this system that are needed for audit purposes will be 
disposed of 6 years after a user's account becomes inactive. Routine 
records will be disposed of when the agency determines they are no 
longer needed for administrative, legal, audit, or other operational 
purposes. These retention and disposal statements are pursuant to NARA 
General Records Schedules GRS 20, item 1c and GRS 24, item 6a.

SYSTEM MANAGER(S) AND ADDRESS:
    Official maintaining this system of records and responsible for 
policies and procedures is the Executive Director of VA Enterprise 
Infrastructure Engineering, VA Office of Information and Technology, 
Department of Veterans Affairs, 810 Vermont Avenue NW., Washington, DC 
20420. Official delegated to maintain this system of records on behalf 
of VA OIT is the Director of VA Connected Health, VHA Office of 
Informatics and Analytics, Department of Veterans Affairs, 810 Vermont 
Avenue NW., Washington, DC 20420.

NOTIFICATION PROCEDURE:
    Individuals who wish to determine whether this system of records 
contains information about them should contact the Director of VA 
Connected Health, VHA Office of Informatics and Analytics, Department 
of Veterans Affairs, 810 Vermont Avenue NW., Washington, DC 20420 or 
via the Web at https://mobilehealth.va.gov. Inquiries should include the 
person's full name, social security number, and their return address.

RECORD ACCESS PROCEDURES:
    Individuals seeking information regarding access to and contesting 
of records in this system may write the Director of VA Connected 
Health, VHA Office of Informatics and Analytics, Department of Veterans 
Affairs, 810 Vermont Avenue NW., Washington, DC 20420. Inquiries 
should, at a minimum, include the person's full name, social security 
number, type of information

[[Page 66812]]

requested or contested, their return address, and phone number.

CONTESTING RECORD PROCEDURES:
    (See Record Access Procedures above.)

RECORD SOURCE CATEGORIES:
    Information in this system of records is provided by Veterans and 
their beneficiaries or caregivers, members of the Armed Services, 
Reserves or National Guard; VA employees, other VA-authorized users 
(e.g., DoD), and information from VA computer systems and databases 
include, but not limited to, Veterans Health Information Systems and 
Technology Architecture (VistA)-VA (79VA10P2) and National Patient 
Databases-VA (121VA10P2), VAMCs, Federal and non-Federal VLER/eHealth 
Exchange partners, and DoD.

[FR Doc. 2013-26520 Filed 11-5-13; 8:45 am]
BILLING CODE 8320-01-P