Privacy Act of 1974; System of Records, 45590-45595 [2015-18646]

Agencies

• DEPARTMENT OF VETERANS AFFAIRS

[Federal Register Volume 80, Number 146 (Thursday, July 30, 2015)]
[Notices]
[Pages 45590-45595]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-18646]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of amendment to system of records.

-----------------------------------------------------------------------

SUMMARY: As required by the Privacy Act of 1974, 5 U.S.C. 552a(e), 
notice is hereby given that the Department of Veteran Affairs (VA) is 
amending the system of records currently entitled ``Non-VA Fee Basis 
Records--VA'' (23VA16) as set forth in the Federal Register 74 FR 
44905-44911, August 31, 2009. VA is amending the system of records by 
revising the System Name, System Number, System Location, Category of 
Records in the System, Authority for Maintenance, Purpose, Retention 
and Disposal, System Manager and Address, and Record Access Procedure, 
and Records Source Categories. VA is republishing the system notice in 
its entirety.

DATES: Comments on the amendment of this system of records must be 
received no later than August 31, 2015. If no public comment is 
received, the amended system will become effective August 31, 2015.

ADDRESSES: Written comments may be submitted through 
www.Regulations.gov; by mail or hand-delivery to Director, Regulations 
Management (02REG), Department of Veterans Affairs, 810 Vermont Avenue 
NW., Room 1068, Washington, DC 20420; or by fax to (202) 273-9026. 
Comments received will be available for public inspection in the Office 
of Regulation Policy and Management, Room 1063B, between the hours of 
8:00 a.m. and 4:30 p.m., Monday through Friday (except holidays). 
Please call (202) 461-4902 (this is not a toll-free number) for an 
appointment. In addition, during the comment period, comments may be 
viewed online through the Federal Docket Management System (FDMS) at 
www.Regulations.gov.

FOR FURTHER INFORMATION CONTACT: Veterans Health Administration (VHA) 
Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue 
NW., Washington, DC 20420; telephone (704) 245-2492.

SUPPLEMENTARY INFORMATION: VA is renaming the system of records from 
Non-VA Fee Basis Records-VA to Non-VA Care (Fee) Records-VA. The system 
number is changed from 23VA16 to 23VA10NB3 to reflect the current 
organizational alignment.
    The System Location in this system of records is being amended to 
include the VA Financial Services Center (FSC), Austin, Texas; Austin 
Information Technology Center (AITC), Austin, Texas. This section will 
remove electronic images of fee claims processed as certified payments 
retained at the VA Financial Service Center (FSC) & Austin Information 
Technology Center (AITC), Austin, Texas. The words Non-VA Care and 
Purchased Care have also been included.
    The Category of Records in the System is amended to include 
Explanation of Benefits. The Authority for Maintenance of the System is 
being amended to include Title 26 U.S.C 61, U.S.C. 31, 1151,1741-1743, 
1781, 1786, 1787, 3102, 5701 (b)(6)(g)(2)(g)(4)(c)(1), 5724, 7332, 
8131-8137. 38 Code of Federal Regulations 2.6 and 45 CFR part 160 and 
164. Title 44 U.S.C and Title 45 U.S.C. Veterans Access, Choice, and 
Accountability Act of 2014.
    The Purpose in this system of records is being amended to include 
Third Party Liability. Also, this section will include the VA FSC as 
one of the agencies conducting audits, reviews, and investigations.
    The Retention and Disposal is being amended to include Non-VA Care. 
The System Manager and Address is amending the official maintaining the 
System as the Director, National Non-VA Care (Fee) Program Office, VHA 
Chief Business Office Purchased Care.
    The Record Access Procedure section is being amended to include 
health records. Also including those individuals seeking information 
regarding access to claims and/or billing records will write to the VHA 
Chief Business Office Purchased Care, Privacy Act Office, P.O. BOX 
469060, Denver, CO. All Requests for records about another person are 
required to provide a Request for an Authorization to Release Medical 
Records or Health Information signed by the record subject by using 
form VA Form 10-5345.
    The Record Source Categories is being amended to include the VA FSC 
as a source of information to the record system.
    The Report of Intent to Amend a System on Records Notice and an 
advance copy of the system notice have been sent to the appropriate 
Congressional committees and to the Director of the Office of 
Management

[[Page 45591]]

and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and 
guidelines issued by OMB (65 FR 77677), December 12, 2000.
    Signing Authority: The Secretary of Veterans Affairs, or designee, 
approved this document and authorized the undersigned to sign and 
submit the document to the Office of the Federal Register for 
publication electronically as an official document of the Department of 
Veterans Affairs. Robert L. Nabors II, Chief of Staff, approved this 
document on [insert date], for publication.

    Approved: July 9, 2015.
Kathleen M. Manwell,
Program Analyst, VA Privacy Service, Office of Privacy and Records 
Management, Department of Veterans Affairs.
23VA10NB3

SYSTEM NAME:
    Non-VA Care (Fee) Records-VA

SYSTEM LOCATION:
    Paper and electronic records, including electronic images of Non-VA 
Care (fee) claims are maintained at the authorizing VA healthcare 
facility; the VA Financial Services Center (FSC), Austin, Texas; 
Austin. Information Technology Center (AITC), Austin, Texas; and 
Federal record centers. Information is also stored in automated storage 
media records that are maintained at the authorizing VA healthcare 
facility; VA Chief Business Office Purchased Care (CBOPC), Denver, 
Colorado; Department of Veterans Affairs Headquarters, Washington, DC; 
VA Allocation Resource Center (ARC), Braintree, Massachusetts; VA 
Office of Information Field Offices (OIFOs); and FSC & AITC. Address 
locations for VA facilities are listed in VA Appendix 1 of the biennial 
Privacy Act Issuances publication.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    1. Veterans who seek healthcare services under 38 U.S.C. Chapter 
17.
    2. Beneficiaries of other Federal agencies authorized VA medical 
services.
    3. Pensioned members of allied forces seeking healthcare services 
under 38 U.S.C.109.
    4. Healthcare providers treating individuals who receive care under 
38 U.S.C. Chapters 1 and 17.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Records maintained in this system include application, eligibility, 
and claim information regarding payment determination for medical 
services provided to VA beneficiaries by non-VA healthcare institutions 
and providers. Application and eligibility data may include personal 
information of the claimant (e.g., name, address, social security 
number, date of birth, date of death, VA claim number, other health 
insurance data), description of VA adjudicated compensable or non-
compensable medical conditions, and military service data (e.g., dates, 
branch and character of service, medical information). Claim data in 
this system may include information needed to properly consider claims 
for payment such as an Explanation of Benefit (EOB), description of the 
medical conditions treated and services provided, authorization and 
treatment dates, amounts claimed for healthcare services, health 
records including films, and payment information (e.g., invoice number, 
account number, date of payment, payment amount, check number, payee 
identifiers). Additional information may include the healthcare 
provider's name, address, and taxpayer identification number, 
correspondence concerning individuals and documents pertaining to 
claims for medical services, reasons for denial of payment, and 
appellate determinations.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 5 U.S.C 301, Title 26 U.S.C 61. Title 38, U.S.C. sections 31, 
109, 111, 501, 1151 1703, 1705, 1710, 1712, 1717, 1720, 1721, 1724, 
1725, 1727, 1728, 1741-1743, 1781, 1786, 1787, 3102, 5701 
(b)(6)(g)(2)(g)(4)(c)(1), 5724, 7105, 7332, and 8131-8137. 38 Code of 
Federal Regulations 2.6 and 45 CFR part 160 and 164. Title 44 U.S.C and 
Title 45 U.S.C. Veterans Access, Choice, and Accountability Act of 
2014.

PURPOSE(S):
    Records may be used to establish, determine, and monitor 
eligibility to receive VA benefits and for authorizing and paying Non-
VA healthcare services furnished to veterans and beneficiaries. Other 
uses of this information include reporting healthcare provider earnings 
to the Internal Revenue Service; Third Party Liability, preparing 
responses to inquiries; performing statistical analyses for use in 
managerial activities, resource allocation and planning; processing and 
adjudicating administrative benefit claims by VBA Regional Office (RO) 
staff; conducting audits, reviews and investigations by staff of the VA 
healthcare facility, Veterans Integrated Service Network (VISN) 
Offices, VA FSC, VA Headquarters, and the VA Office of Inspector 
General (OIG); in the conduct of law enforcement investigations; and in 
the performance of quality assurance audits, reviews and 
investigations.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    To the extent that records contained in the system include 
information protected by 45 CFR parts 160 and 164, i.e., individually 
identifiable health information, and 38 U.S.C. 7332, i.e., medical 
treatment information related to drug abuse, alcoholism or alcohol 
abuse, sickle cell anemia or infection with the human immunodeficiency 
virus, that information cannot be disclosed under a routine use unless 
there is also specific statutory authority in 38 U.S.C. 7332 and 
regulatory authority in 45 CFR parts 160 and 164 permitting disclosure.
    1. VA may disclose on its own initiative any information in this 
system, except the names and home addresses of veterans and their 
beneficiaries, which is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal or regulatory in nature, and 
whether arising by general or program statute or by regulation, rule or 
order issued pursuant thereto, to a Federal, State, local, or Tribal 
agency charged with the responsibility of investigating or prosecuting 
such violation, or charged with enforcing or implementing the statute, 
regulation, rule or order. VA may disclose on its own initiative the 
names and addresses of Veterans and their beneficiaries to a Federal 
agency charged with the responsibility of investigating or prosecuting 
civil, criminal, or regulatory violations of law, or charged with 
enforcing or implementing the statute, regulation, rule or order issued 
pursuant thereto.
    2. A record from this system of records may be disclosed to a 
Federal, State, or local government agency, maintaining civil, 
criminal, or other relevant information, such as current licenses, 
registration or certification, if necessary, to obtain information 
relevant to an agency decision concerning the hiring or retention of an 
employee, the use of an individual as a consultant, attending or to 
provide Non-VA Care (fee), the issuance of a security clearance, the 
letting of a contract, or the issuance of a license, grant, or other 
health, educational or welfare benefits. Any information in this system 
also may be disclosed to any of the above-listed governmental 
organizations as part of a series of ongoing computer matches to 
determine if VA healthcare practitioners and private practitioners used 
by the VA hold current, unrestricted licenses, or are currently 
registered in a State, and are board certified in their specialty, if 
any.
    3. VA may disclose information from this system of records to a 
Federal

[[Page 45592]]

agency or the District of Columbia government, in response to its 
request, in connection with the hiring or retention of an employee and 
the issuance of a security clearance as required by law, the reporting 
of an investigation of an employee, the issuance of a license, grant, 
or other benefit by the requesting agency, to the extent that the 
information is relevant and necessary to the requesting agency's 
decision.
    4. Information from this system of records may be disclosed to the 
Department of the Treasury to facilitate VA payment to physicians, 
clinics, and pharmacies for reimbursement of services rendered, to 
facilitate payments to veterans for reimbursements of authorized 
expenses, or to collect, by set off or otherwise, debts owed the United 
States.
    5. Disclosure may be made to a congressional office, from the 
record of an individual, in response to an inquiry from the 
congressional office made at the request of that individual.
    6. Disclosure may be made to National Archives and Records 
Administration (NARA), and General Services Administration (GSA) in 
records management inspections conducted under authority of 44 United 
States Code.
    7. Records from this system of records may be disclosed to a 
Federal agency or to a State or local government licensing board and/or 
to the Federation of State Medical Boards or a similar nongovernment 
entity which maintains records concerning individuals' employment 
histories or concerning the issuance, retention or revocation of 
licenses, certifications, or registration necessary to practice an 
occupation, profession or specialty, in order for the agency to obtain 
information relevant to an agency decision concerning the hiring, 
retention or termination of an employee or to inform a Federal agency 
or licensing boards or the appropriate non-government entities about 
the healthcare practices of a terminated, resigned or retired 
healthcare employee whose professional healthcare activity so 
significantly failed to conform to generally accepted standards of 
professional medical practice as to raise reasonable concern for the 
health and safety of patients in the private sector or from another 
Federal agency. These records may also be disclosed as part of an 
ongoing computer-matching program to accomplish these purposes.
    8. Identifying information in this system, including name, address, 
social security number, and other information as is reasonably 
necessary to identify such individual, may be disclosed to the National 
Practitioner Data Bank at the time of hiring and/or clinical 
privileging of healthcare practitioners, and other times as deemed 
necessary by VA, in order for VA to obtain information relevant to a 
Department decision concerning the hiring, privileging, retention or 
termination of the applicant or employee.
    9. Relevant information from this system of records may be 
disclosed to the National Practitioner Data Bank and/or State Licensing 
Board in the State(s) in which a practitioner is licensed, in which the 
VA facility is located, and/or in which an act or omission occurred 
upon which a medical malpractice claim was based when VA reports 
information concerning: (a) Any payment for the benefit of a physician, 
dentist, or other licensed healthcare practitioner which was made as 
the result of a settlement or judgment of a claim of medical 
malpractice if an appropriate determination is made in accordance with 
agency policy that payment was related to substandard care, 
professional incompetence or professional misconduct on the part of the 
individual; (b) a final decision which relates to possible incompetence 
or improper professional conduct that adversely affects the clinical 
privileges of a physician or dentist for a period longer than 30 days; 
or (c) the acceptance of the surrender of clinical privileges or any 
restriction of such privileges by a physician or dentist either while 
under investigation by the healthcare entity relating to possible 
incompetence or improper professional conduct, or in return for not 
conducting such an investigation or proceeding. These records may also 
be disclosed as part of a computer-matching program to accomplish these 
purposes.
    10. Relevant identifying and medical treatment information 
(excluding medical treatment information related to drug or alcohol 
abuse, infection with the human immunodeficiency virus or sickle cell 
anemia) may be disclosed to a Federal agency or non-VA healthcare 
provider or institution, including their billing or collection agent, 
when VA refers a patient for treatment or medical services, or 
authorizes a patient to obtain non-VA medical services and the 
information is needed by the Federal agency or non-VA institution or 
provider to perform the services, or for VA to obtain sufficient 
information in order to consider or make payment for health care 
services, to evaluate the services rendered, or to determine the need 
for additional services.
    11. Information maintained in this system concerning non-VA 
healthcare institutions and providers, including name, address, social 
security or employer's taxpayer identification numbers, may be 
disclosed to the Department of the Treasury, Internal Revenue Service, 
to report calendar year earnings of $600 or more for income tax 
reporting purposes.
    12. The name, date of birth and social security number of a Veteran 
or beneficiary, and any other identifying and claim information as is 
reasonably necessary, such as provider identification, description of 
services furnished, and VA payment amount, may be disclosed to another 
Federal agency for its use in identifying potential duplicate payments 
for healthcare services paid by Department of Veteran Affairs and that 
agency. This information may also be disclosed as part of a computer 
matching agreement to accomplish this purpose.
    13. Relevant information from this system of records may be 
disclosed to individuals, organizations, or private or public agencies, 
with whom VA has a contract or agreement to perform such services as VA 
may deem practicable for the purposes of laws administered by VA, in 
order for the contractor or subcontractor to perform the services of 
the contract or agreement.
    14. Any relevant information in this system of records may be 
disclosed to attorneys, insurance companies, employers, and courts, 
boards, or commissions; such disclosures may be made only to the extent 
necessary to aid VA in the preparation, presentation, and prosecution 
of claims authorized under Federal, State, or local laws, and 
regulations promulgated thereunder.
    15. VA may disclose information from this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that release of the records to the DoJ 
is a use of the information contained in the records that is compatible 
with the purpose for which VA collected the records. VA, on its own 
initiative, may disclose records in this system of records in legal 
proceedings before a court or administrative body after determining 
that the disclosure of the records to the court or administrative body 
is a use of the information contained in the records that is compatible 
with the purpose for which VA collected the records.
    16. Any information in this system may be disclosed in connection 
with

[[Page 45593]]

any proceeding for the collection of an amount owed to the United 
States by virtue of a person's participation in any benefit program 
administered by the Veterans Health Administration when in the judgment 
of the Secretary, or an official generally delegated such authority 
under standard agency delegation of authority rules (38 CFR 2.6), such 
disclosure is deemed necessary and proper, in accordance with 38 U.S.C. 
5701(b)(6).
    17. The name and address of a veteran or beneficiary, and other 
information as is reasonably necessary to identify such individual, 
including personal information obtained from other Federal agencies 
through computer matching programs, and any information concerning the 
individual's indebtedness to the United States by virtue of the 
individual's participation in a benefits program administered by VA, 
may be disclosed to a consumer reporting agency for the purpose of 
locating the individual, obtaining a consumer report to determine the 
ability of the individual to repay an indebtedness, or assisting in the 
collection of such indebtedness provided that the applicable 
requirements of 38 U.S.C. 5701(g)(2) and 38 U.S.C. 5701(g)(4) have been 
met.
    18. In response to an inquiry about a named individual from a 
member of the general public, information from this system may be 
disclosed to report the amount of VA monetary benefits being received 
by the individual. This disclosure is consistent with 38 U.S.C. 
5701(c)(1).
    19. VA may disclose information from this system to a Federal 
agency for the purpose of conducting research and data analysis to 
perform a statutory purpose of that Federal agency upon the prior 
written request of that agency, provided that there is legal authority 
under all applicable confidentiality statutes and regulations to 
provide the data and VA has determined prior to the disclosure that the 
VA data handling requirements are satisfied.
    20. Any information in this system of records relevant to a claim 
of a Veteran or beneficiary, such as the name, address, the basis and 
nature of a claim, amount of benefit payment information, medical 
information and military service and active duty separation information 
may be disclosed to accredited service organizations, VA approved claim 
agents and attorneys acting under a declaration of representation, so 
that these individuals can aid claimants in the preparation, 
presentation and prosecution of claims under the laws administered by 
VA. The name and address of a claimant will not, however, be disclosed 
to these individuals under this routine use if the claimant has not 
requested the assistance of an accredited service organization, claims 
agent or an attorney.
    21. Any information in this system, including medical information, 
the basis and nature of claim, the amount of benefits, and other 
personal information may be disclosed to a VA Federal fiduciary or a 
guardian ad litem in relation to his or her representation of a 
claimant, but only to the extent necessary to fulfill the duties of the 
VA Federal fiduciary or the guardian ad litem.
    22. The individual's name, address, social security number and the 
amount (excluding interest) of any indebtedness which is waived under 
38 U.S.C. 3102, compromised under 4 CFR part 103, otherwise forgiven, 
or for which the applicable statute of limitations for enforcing 
collection has expired, may be disclosed to the Department of the 
Treasury, Internal Revenue Service, as a report of income under 26 
U.S.C. 61(a)(12).
    23. The name of a veteran or beneficiary, other information as is 
reasonably necessary to identify such individual, and any other 
information concerning the individual's indebtedness by virtue of a 
person's participation in a benefits program administered by VA, may be 
disclosed to the Department of the Treasury, Internal Revenue Service, 
for the collection of Title 38 benefit overpayments, overdue 
indebtedness, and/or costs of services provided to an individual not 
entitled to such services, by the withholding of all or a portion of 
the person's Federal income tax refund.
    24. The name, date of birth, and social security number of a 
Veteran or beneficiary, and other identifying information as is 
reasonably necessary may be disclosed to Social Security Administration 
for the purpose of validating social security numbers. This information 
may also be disclosed as part of a computer matching agreement to 
accomplish this purpose.
    25. The name and address of any healthcare provider in this system 
of records who has received payment for claimed services in behalf of a 
Veteran or beneficiary may be disclosed in response to an inquiry from 
a member of the general public.
    26. Relevant information from this system of records may be 
disclosed to an accrediting Quality Review and Peer Review Organization 
with which VA has an agreement or contract to conduct such reviews in 
connection with the review of claims or other review activities 
associated with VA healthcare facility accreditation to professionally 
accepted standards, such as The Joint Commission or Utilization Review 
Accreditation Commission (URAC) or American Accreditation HealthCare 
Commission.
    27. Eligibility and claim information from this system of records 
may be disclosed verbally or to a healthcare provider seeking 
reimbursement for claimed medical services to facilitate billing 
processes, verify eligibility for requested healthcare services, and 
provide payment information for claimed services. Eligibility or 
entitlement information disclosed may include the name, social security 
number, effective dates of eligibility, reasons for any period of 
ineligibility, and evidence of other health insurance information of 
the named individual. Claim information disclosed may include payment 
information such as payment identification number, date of payment, 
date of service, amount billed, amount paid, name of payee, and reasons 
for non-payment.
    28. Identifying information, including social security number of 
Veterans, spouse(s) of Veterans, and dependents of Veterans, may be 
disclosed to other Federal agencies for purposes of conducting computer 
matches, to obtain information to determine or verify eligibility of 
Veterans who are receiving VA medical care under relevant sections of 
Title 38 U.S.C.
    29. VA may disclose patient identifying information to Federal 
agencies and VA and government-wide third-party insurers responsible 
for payment of the cost of medical care for the identified patients, in 
order for VA to seek recovery of the medical care costs. These records 
may also be disclosed as part of a computer matching program to 
accomplish this purpose.
    30. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    31. VA may, on its own initiative, disclose any information or 
records to appropriate agencies, entities, and persons when (1) VA 
suspects or has confirmed that the integrity or confidentiality of 
information in the system of records has been compromised; (2) the 
Department has determined that as a result of the suspected or 
confirmed compromise, there is a risk of embarrassment or harm to the 
reputations of the record subjects, harm to economic or property 
interests, identity theft or fraud, or harm to the security, 
confidentiality, or integrity of

[[Page 45594]]

this system or other systems or programs (whether maintained by the 
Department or another agency or entity) that rely upon the potentially 
compromised information; and (3) the disclosure is to agencies, 
entities, or persons whom VA determines are reasonably necessary to 
assist or carry out the Department's efforts to respond to the 
suspected or confirmed compromise and prevent, minimize, or remedy such 
harm. This routine use permits disclosures by the Department to respond 
to a suspected or confirmed data breach, including the conduct of any 
risk analysis or provision of credit protection services as provided in 
38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Records are maintained on paper documents or stored electronically 
by magnetic discs, magnetic tape, and optical or digital imaging at the 
authorizing VA healthcare facility. Reports and information on 
automated storage media (e.g., microfilm, microfiche, magnetic tape and 
disks, and digital and laser optical media) is stored at the 
authorizing VA healthcare facility, VA Headquarters, ARC, OIFOs, FSC, 
AITC, and Veterans Integrated Service Network (VISN) offices.
    Information pertaining to electronic claims submitted to VA for 
payment consideration may be stored at the authorizing VA healthcare 
facility, FSC, AITC, and at CBOPC. Records maintained at CBOPC are 
stored electronically.

RETRIEVABILITY:
    Paper and electronic records pertaining to the individual may be 
retrieved by the name or Social Security number of the record subject. 
Records pertaining to the healthcare provider are retrieved by the name 
or Social Security and taxpayer identification number of the non-VA 
healthcare institution or provider. Records at the ARC are retrieved 
only by Social Security number.

SAFEGUARDS:
    1. VA will maintain the data in compliance with applicable VA 
security policy directives that specify the standards that will be 
applied to protect sensitive personal information. Contractors and 
their subcontractors who access the data are required to maintain the 
same level of security as VA staff. Working spaces and record storage 
areas in VA facilities are restricted to VA employees. Generally, file 
areas are locked after normal duty hours and healthcare facilities are 
protected from outside access by security personnel. Access to the 
records is restricted to VA employees who have a need for the 
information in the performance of their official duties. Employee 
records or records of public figures or otherwise sensitive records are 
generally stored in separate locked files.
    2. Electronic data security complies with applicable Federal 
Information Processing Standards (FIPS) issued by the National 
Institute of Standards and Technology (NIST). Access to computer rooms 
at healthcare facilities is generally limited by appropriate locking 
devices and restricted to authorized VA employees and vendor personnel. 
Peripheral devices are generally placed in secure areas (areas that are 
locked or have limited access) or are otherwise protected. Access to 
file information is controlled at two levels: The system recognizes 
authorized employees by a series of individually unique passwords/codes 
that must be changed periodically by the employee, and employees are 
limited by role-based access to only that information in the file which 
is needed in the performance of their official duties. Information that 
is downloaded and maintained on personal computers is afforded similar 
storage and access protections as the data that is maintained in the 
original files. Remote access to file information by staff of the 
OIFOs, and access by OIG staff conducting an audit or investigation at 
the healthcare facility or an OIG office location remote from the 
healthcare facility is controlled in the same manner.
    3. Access to FSC and AITC is generally restricted to each Center's 
employees, custodial personnel and security personnel. Access to 
computer rooms is restricted to authorized operational personnel 
through electronic locking devices. All other persons gaining access to 
computer rooms are escorted. Authorized VA employees at remote 
locations, including VA healthcare facilities, OIFOs, VA Headquarters, 
VISN offices, and OIG headquarters and field staff, may access 
information stored in the computer. Access is controlled by 
individually unique passwords/codes that must be changed periodically 
by the employee.
    4. Access to records maintained at VA Headquarters, ARC, OIFOs, and 
VISN offices is restricted to VA employees who have a need for the 
information in the performance of their official duties. Access to 
information stored on automated storage media is controlled by 
individually unique passwords/codes that must be changed periodically 
by the employee. Authorized VA employees at remote locations including 
VA healthcare facilities may access information stored in the computer. 
Access is controlled by individually unique passwords/codes. Records 
are maintained in manned rooms during nonworking hours. The facilities 
are protected from outside access during working hours by security 
personnel.
    5. Information downloaded and maintained by the OIG Headquarters 
and field offices on automated storage media is secured in storage 
areas or facilities to which only OIG staff members have access. Paper 
documents are similarly secured. Access to paper documents and 
information on automated storage media is limited to OIG employees who 
have a need for the information in the performance of their official 
duties. Access to information stored on automated storage media is 
controlled by individually unique passwords/codes.
    6. Access to records maintained at CBOPC Office of Information and 
Technology (OI&T) is restricted to VA employees who have a need for the 
information in the performance of their official duties. Access to 
information stored on automated storage media is controlled by 
individually unique passwords/codes that must be changed periodically 
by the employee. Authorized VA employees at remote locations including 
VA healthcare facilities may access and print information stored in the 
computer. Access is controlled by individually assigned unique 
passwords/codes. Records are maintained in a secured, pass card 
protected and alarmed room. The facilities are protected from outside 
access during non-working hours by security personnel.

RETENTION AND DISPOSAL:
    Paper and electronic documents at the authorizing healthcare 
facility related to authorizing the Non-VA Care (fee) and the services 
authorized, billed and paid for are maintained in ``Patient Medical 
Records--VA'' (24VA10P2). These records are retained at healthcare 
facilities for a minimum of three years after the last episode of care. 
After the third year of inactivity the paper records are transferred to 
a records facility for seventy-two (72) more years of storage.
    Automated storage media, imaged Non-VA Care (fee) claims, and other 
paper documents that are included in this system of records and not 
maintained in ``Patient Medical Records--VA'' (24VA10P2) are retained

[[Page 45595]]

and disposed of in accordance with disposition authority approved by 
the Archivist of the United States.
    Paper records that are imaged for viewing electronically are 
destroyed after they have been scanned, and the electronic copy is 
determined to be an accurate and complete copy of the paper record 
imaged.

SYSTEM MANAGER(S) AND ADDRESS:
    Official responsible for policies and procedures: Chief Business 
Officer (10NB), Department of Veterans Affairs, Veterans Health 
Administration, VA Central Office, 810 Vermont Avenue NW., Washington, 
DC 20420. Official Maintaining the System: Director, National Non-VA 
Care (Fee) Program Office, VHA Chief Business Office Purchased Care, 
P.O. Box 469066, Denver, CO 80246.

NOTIFICATION PROCEDURE:
    An individual who wishes to determine whether a record is being 
maintained in this system under the individual's name or other personal 
identifier, or who wants to determine the contents of such record, 
should submit a written request or apply in person to the last VA 
healthcare facility where care was authorized or rendered. Addresses of 
VA healthcare facilities may be found in VA Appendix 1 of the Biennial 
Publication of Privacy Act Issuances. All inquiries must reasonably 
identify the portion of the Non-VA Care (fee) record involved and the 
place and approximate date that medical care was provided. Inquiries 
should include the patient's full name, social security number, and 
return address.

RECORD ACCESS PROCEDURE:
    Individuals seeking information regarding access to health records 
and/or contesting health l records may write, call or visit the VA 
facility where medical care was last authorized or provided. 
Individuals seeking information regarding access to claims and/or 
billing records will write to the VHA Chief Business Office Purchased 
Care, Privacy Office, PO BOX 469060, Denver, CO. All Requests for 
records about another person are required to provide a Request for an 
Authorization to Release Medical Records or Health Information signed 
by the record subject by using form VA Form 10-5345.

CONTESTING RECORD PROCEDURES:
    (See Record Access Procedures above.)

RECORD SOURCE CATEGORIES:
    The Veteran or other VA beneficiary, family members or accredited 
representatives, and other third parties; military service departments; 
private medical facilities and healthcare professionals; electronic 
trading partners; other Federal agencies; Veterans Health 
Administration facilities and automated systems; Veterans Benefits 
Administration facilities and automated systems; VA FSC facility and 
automated systems; and deployment status and availability.

[FR Doc. 2015-18646 Filed 7-29-15; 8:45 am]
 BILLING CODE 8320-01-P