Privacy Act of 1974; System of Records, 45597-45602 [2016-16640]

Download as PDF Federal Register / Vol. 81, No. 135 / Thursday, July 14, 2016 / Notices asabaliauskas on DSK3SPTVN1PROD with NOTICES permit it to exercise common control of these entities and CTCR once CTCR acquires the Brady Line. The exemption will become effective July 28, 2016. OmniTRAX represents that: (1) The rail line to be acquired and operated by CTCR does not connect with the lines of any of the OmniTRAX Railroads; (2) the continuance in control transaction is not part of a series of anticipated transactions that would result in such a connection; and (3) the proposed transaction does not involve a Class I carrier. Therefore, the transaction is exempt from the prior approval requirements of 49 U.S.C. 11323. See 49 CFR 1180.2(d)(2). Under 49 U.S.C. 10502(g), the Board may not use its exemption authority to relieve a rail carrier of its statutory obligation to protect the interests of its employees. Section 11326(c), however, does not provide for labor protection for transactions under 11324 and 11325 that involve only Class III rail carriers. Accordingly, the Board may not impose labor protective conditions here, because all of the carriers involved are Class III carriers. If the verified notice contains false or misleading information, the exemption is void ab initio. Petitions to revoke the exemption under 49 U.S.C. 10502(d) may be filed at any time. The filing of a petition to revoke will not automatically stay the effectiveness of the exemption. Petitions for stay must be filed no later than July 21, 2016 (at least seven days before the exemption becomes effective). An original and 10 copies of all pleadings, referring to Docket No. FD 36019, must be filed with the Surface Transportation Board, 395 E Street SW., Washington, DC 20423–0001. In addition, one copy of each pleading must be served on William C. Sippel, Fletcher & Sippel LLC, 29 North Wacker Drive, Suite 920, Chicago, IL 60606. Board decisions and notices are available on our Web site at ‘‘WWW.STB.DOT.GOV.’’ Decided: July 11, 2016. By the Board, Rachel D. Campbell, Director, Office of Proceedings. Tia Delano, Clearance Clerk. [FR Doc. 2016–16674 Filed 7–13–16; 8:45 am] BILLING CODE 4915–01–P pending a ruling on the petition. The Board granted the petition in a decision served July 14, 2016, and therefore is removing this proceeding from abeyance and publishing this notice. VerDate Sep<11>2014 19:33 Jul 13, 2016 Jkt 238001 DEPARTMENT OF THE TREASURY Debt Management Advisory Committee Meeting Notice is hereby given, pursuant to 5 U.S.C. 2, 10(a)(2), that a meeting will be held at the Hay-Adams Hotel, 16th Street and Pennsylvania Avenue NW., Washington, DC on August 2, 2016 at 11:30 a.m. of the following debt management advisory committee: Treasury Borrowing Advisory Committee of the Securities Industry and Financial Markets Association. The agenda for the meeting provides for a charge by the Secretary of the Treasury or his designate that the Committee discuss particular issues and conduct a working session. Following the working session, the Committee will present a written report of its recommendations. The meeting will be closed to the public, pursuant to 5 U.S.C. 2, 10(d) and Public Law 103–202, 202(c)(1)(B) (31 U.S.C. 3121 note). This notice shall constitute my determination, pursuant to the authority placed in heads of agencies by 5 U.S.C. 2, 10(d) and vested in me by Treasury Department Order No. 101–05, that the meeting will consist of discussions and debates of the issues presented to the Committee by the Secretary of the Treasury and the making of recommendations of the Committee to the Secretary, pursuant to Public Law 103–202,202(c)(1)(B). Thus, this information is exempt from disclosure under that provision and 5 U.S.C. 552b(c)(3)(B). In addition, the meeting is concerned with information that is exempt from disclosure under 5 U.S.C. 552b(c)(9)(A). The public interest requires that such meetings be closed to the public because the Treasury Department requires frank and full advice from representatives of the financial community prior to making its final decisions on major financing operations. Historically, this advice has been offered by debt management advisory committees established by the several major segments of the financial community. When so utilized, such a committee is recognized to be an advisory committee under 5 U.S.C. 2, 3. Although the Treasury’s final announcement of financing plans may not reflect the recommendations provided in reports of the Committee, premature disclosure of the Committee’s deliberations and reports would be likely to lead to significant financial speculation in the securities market. Thus, this meeting falls within the exemption covered by 5 U.S.C. 552b(c)(9)(A). PO 00000 Frm 00149 Fmt 4703 Sfmt 4703 45597 Treasury staff will provide a technical briefing to the press on the day before the Committee meeting, following the release of a statement of economic conditions and financing estimates. This briefing will give the press an opportunity to ask questions about financing projections. The day after the Committee meeting, Treasury will release the minutes of the meeting, any charts that were discussed at the meeting, and the Committee’s report to the Secretary. The Office of Debt Management is responsible for maintaining records of debt management advisory committee meetings and for providing annual reports setting forth a summary of Committee activities and such other matters as may be informative to the public consistent with the policy of 5 U.S.C. 552(b). The Designated Federal Officer or other responsible agency official who may be contacted for additional information is Fred Pietrangeli, Director for Office of Debt Management (202) 622–1876. Dated: July 7, 2016. Fred Pietrangeli, Director, Office of Debt Management. [FR Doc. 2016–16509 Filed 7–13–16; 8:45 am] BILLING CODE 4810–25–M DEPARTMENT OF VETERANS AFFAIRS Privacy Act of 1974; System of Records AGENCY: Department of Veterans Affairs (VA). Notice of amendment of system of records. ACTION: As required by the Privacy Act of 1974 (5 U.S.C. 552a(e)(4)), notice is hereby given that the Department of Veterans Affairs (VA) is amending the system of records entitled ‘‘Enrollment and Eligibility Records-VA’’ (147VA16) as set forth in 73 FR 15847. VA is amending the system of records by revising the System Number, System Location, Categories of Individuals Covered by the System, Category of Records in the System, Authority for Maintenance of the System, Purpose, Routine Uses of Records Maintained in the System, Storage, Safeguards, Retention and Disposal, and Record Source Category. VA is republishing the system notice in its entirety. DATES: Comments on this new system of records must be received no later than August 15, 2016. If no public comment is received during the period allowed for comment or unless otherwise SUMMARY: E:\FR\FM\14JYN1.SGM 14JYN1 asabaliauskas on DSK3SPTVN1PROD with NOTICES 45598 Federal Register / Vol. 81, No. 135 / Thursday, July 14, 2016 / Notices published in the Federal Register by VA, the new system will become effective August 15, 2016. ADDRESSES: Written comments concerning the amended system of records may be submitted through www.regulations.gov; by mail or handdelivery to Director, Regulations Management (02REG), Department of Veterans Affairs, 810 Vermont Avenue NW., Room 1068, Washington, DC 20420; or by fax to (202) 273–9026. All comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8 a.m. and 4:30 p.m., Monday through Friday (except holidays). Please call (202) 461–4902 for an appointment. In addition, during the comment period, comments may be viewed online through the Federal Docket Management System (FDMS) at www.regulations.gov. FOR FURTHER INFORMATION CONTACT: Veterans Health Administration (VHA) Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue NW., Washington, DC 20420; telephone (704) 245–2492. SUPPLEMENTARY INFORMATION: The System Number is changed from 147VA16 to 147VA10NF1 to reflect the current organizational alignment. The System Location is being amended to remove Austin Automation Center (AAC) and replace it with Austin Information Technology Center (AITC); and 24VA19 is being removed and replaced with 24VA10P2. Also, Veteran Identification Card (VIC) National Card Management Directory (NCMD) located at the Hines, Illinois, and Silver Spring, Maryland VA facilities is being removed and replaced with Veteran Health Identification Card (VHIC) located at the AITC and 3M Cogent, Inc. The Category of Individuals Covered by the System is being amended to include Veterans and caregivers inquiring about, applying for and participating in the Program of Comprehensive Assistance for Family Caregivers and the Program of General Caregiver Support Services established by the Caregivers and Veterans Omnibus Health Services Act of 2010, Public Law 111–163, signed into law on May 5, 2010, as well as individuals who call into the VA’s Caregiver Support Line. The Category of Records in the System is being amended to add Member ID number—which is Department of Defense’s Electronic Data Interchange Personal Identifier (EDIPI), Plan ID, special awards and Branch of Service. The Caregiver database that tracks these program participants includes, but is not limited to: The VerDate Sep<11>2014 19:33 Jul 13, 2016 Jkt 238001 Veteran and/or caregiver(s) name, Social Security number, gender, age, date of birth, address, phone number, and email address; VA eligibility related information, such as service connection, DD 214, ‘‘Certification of Release or Discharge from Active Duty’’, Line of Duty documentation, and stipend payment information; written correspondence; VA Form 10–10CG, ‘‘Application for Comprehensive Assistance for Family Caregiver Program’’; and correspondence with Caregiver Support Line, including referral information and VA staff remarks. The Authority for Maintenance of the System is being amended to add Title 28 U.S.C. and 38 U.S.C. 1720G. The Purpose is being updated to include VA’s Caregiver Support Program and providing enrolled Veterans with customized Veterans Health Benefits Handbooks. The Routine Uses of Records Maintained in the System has been amended by adding Routine Use #15 which states, ‘‘VA may disclose the name and Veteran Health Identification Card image of a missing patient from a VA health care facility to local law enforcement for the purpose of assisting in locating the missing patient.’’ VA needs to locate missing patients quickly for their safety and enlisting the assistance of local law enforcement is crucial to being able to find patients as quick as possible. The Storage is being amended to remove NCMD databases and replace it with 3M Cogent, Inc. databases. The Safeguard section is being amended to remove Silver Spring and Hines databases and replace it with 3M Cogent, Inc. AAC is being replaced with AITC and VIC is being replaced with VHIC. The Retention and Disposal is being amended to remove the language that Regardless of the record medium, all records are disposed of in accordance with the records retention standards approved by the Archivist of the United States, NARA, and published in the VHA Records Control Schedule 10–1. This section is being replaced with per Records Control Schedule (RCS) 10–1 May of 2016; Use disposition schedule 1250.1.b Health Eligibility Center (HEC) Records, Optical Disks or Other Electronic Medium will be temporarily deleted when all phase of the Veteran’s appeal rights have ended (ten years after the income year for which the means test verification was conducted) (N1– 15–98–3, item 2). All Ad-Hoc reports created as part of this system shall be managed per National Archives and Records Administration (NARA) PO 00000 Frm 00150 Fmt 4703 Sfmt 4703 approved General Record Schedule (GRS) 3.2 Items 030, Ad-Hoc reports. The Record Source Category is being amended to replace 24VA19 with 24VA10P2; 79VA19 with 79VA10P2; and 89VA16 with 89VA10NB. The Report of Intent to Amend a System of Records Notice and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of Office of Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000. Signing Authority The Secretary of Veterans Affairs, or designee, approved this document and authorized the undersigned to sign and submit the document to the Office of the Federal Register for publication electronically as an official document of the Department of Veterans Affairs. Gina S. Farrisee, Deputy Chief of Staff, approved this document on June 30, 2016, for publication. Dated: July 6, 2016. Kathleen M. Manwell, Program Analyst, VA Privacy Service, Office of Privacy and Records Management, Department of Veterans Affairs. 147VA10NF1 SYSTEM NAME: Enrollment and Eligibility RecordsVA. SYSTEM LOCATION: Records are maintained at the Health Eligibility Center (HEC) in Atlanta, Georgia; the Austin Information Technology Center (AITC) in Austin, Texas; at each VA health care facility as described in the VA system of records entitled ‘‘Patient Medical Records-VA’’ (24VA10P2); and at the Veteran Health Identification Card (VHIC) located at the AITC and 3M Cogent, Inc. Electronic and magnetic records are also stored at contracted facilities for storage and back-up purposes. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: Title 28 U.S.C., title 38, U.S.C., sections 501(a), 1705, 1710, 1720G, 1722, and 5317. PURPOSE(S): Information in this system of records is used to establish and maintain applicants’ records necessary to support the delivery of health care benefits; establish applicants’ eligibility for VA health care benefits; VA’s Caregiver Support Program; operate an annual enrollment system; provide eligible Veterans with an identification card; E:\FR\FM\14JYN1.SGM 14JYN1 Federal Register / Vol. 81, No. 135 / Thursday, July 14, 2016 / Notices collect from an applicant’s health insurance provider for care of their nonservice-connected conditions; provide educational materials related to VA health care benefits, such as the customized Veterans Health Benefits Handbook, respond to Veteran and nonVeteran inquiries related to VA health care benefits, and compile management reports. CATEGORIES OF INDIVIDUALS COVERED BY THIS SYSTEM: The records contain information on individuals who have applied for or who have received VA health care benefits under title 38 U.S.C., chapter 17. The records also include Veterans and caregivers inquiring about, applying for and participating in the Program of Comprehensive Assistance for Family Caregivers and the Program of General Caregiver Support Services established by the Caregivers and Veterans Omnibus Health Services Act of 2010, Public Law 111–163, signed into law on May 5, 2010, as well as individuals who call into VA’s Caregiver Support Line, Veterans, their spouses and dependents as provided for in other provisions of title 38 U.S.C. asabaliauskas on DSK3SPTVN1PROD with NOTICES CATEGORIES OF RECORDS IN THE SYSTEM: The categories of records in this system may include: Medical benefit applications; eligibility and enrollment information, including information obtained from Veterans Benefits Administration’s automated records, such as the ‘‘Compensation, Pension, Education and Rehabilitation RecordsVA’’ (58VA21/22), and VHIC information including applicant’s name, address(es), date of birth, Member ID number—which is Department of Defense’s Electronic Data Interchange Personal Identifier (EDIPI), Plan ID, special awards and Branch of Service, Internal Control Number (ICN), applicant’s image, preferred facility and facility requesting a VHIC, names, addresses and phone numbers of persons to contact in the event of a medical emergency, family information including spouse and dependent(s) name(s), address(es) and Social Security number; applicant and spouse’s employment information, including occupation, employer(s) name(s) and address(es); financial information concerning the applicant and the applicant’s spouse including family income, assets, expenses, debts; third party health plan contract information, including health insurance carrier name and address, policy number and time period covered by policy; facility location(s) where treatment is provided; type of treatment provided (i.e., VerDate Sep<11>2014 19:33 Jul 13, 2016 Jkt 238001 inpatient or outpatient); information about the applicant’s military service (e.g., dates of active duty service, dates and branch of service, and character of discharge, combat service dates and locations, military decorations, POW status and military service experience including exposures to toxic substances); information about the applicant’s eligibility for VA compensation or pension benefits, and the applicant’s enrollment status and enrollment priority group. These records also include, but are not limited to, individual correspondence provided to the HEC by Veterans, their family members and Veterans’ representatives, such as Veteran Service Officers (VSO); copies of death certificates; DD Form 214, ‘‘Certificate of Release or Discharge from Active Duty’’; disability award letters; VA and other pension applications; VA Form 10–10EZ, ‘‘Application for Health Benefits’’; VA Form 10–10EZR, ‘‘Health Benefits Renewal’’; VA Form 10–10EC, ‘‘Application for Extended Care Services’’; and workers compensation forms. The Caregiver database that tracks these program participants includes, but is not limited to: the Veteran and/or caregiver(s) name, Social Security number, gender, age, date of birth, address, phone number, and email address; VA eligibility related information, such as service connection, DD 214, ‘‘Certification of Release or Discharge from Active Duty’’, Line of Duty documentation, and stipend payment information; written correspondence; VA Form 10–10CG, ‘‘Application for Comprehensive Assistance for Family Caregiver Program’’; and correspondence with Caregiver Support Line, including referral information and VA staff remarks. RECORD SOURCE CATEGORIES: Information in the systems of records may be provided by the applicant; applicant’s spouse or other family members or accredited representatives or friends; health insurance carriers; other Federal agencies; ‘‘Patient Medical Records-VA’’ (24VA10P2) system of records; ‘‘Veterans Health Information System and Technology Architecture (VistA) Records-VA’’ (79VA10P2); ‘‘Income Verification Records-VA’’ (89VA10NB); and Veterans Benefits Administration automated record systems, including ‘‘Veterans and Beneficiaries Identification and Records Location Subsystem-VA’’ (38VA23) and the ‘‘Compensation, Pension, Education and Rehabilitation Records-VA’’ (58VA21/22). PO 00000 Frm 00151 Fmt 4703 Sfmt 4703 45599 ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES: To the extent that records contained in the system include information protected by 45 CFR parts 160 and 164 (i.e., individually identifiable health information), that information cannot be disclosed under a routine use unless there is also specific regulatory authority in 45 CFR parts 160 and 164 permitting disclosure. 1. VA may disclose information from this system of records, as deemed necessary and proper, to named individuals serving as accredited service organization representatives and other individuals named as approved agents or attorneys for a documented purpose and period of time, to aid beneficiaries in the preparation and presentation of their cases during the verification and/ or due process procedures and in the presentation and prosecution of claims under laws administered by VA. 2. VA may disclose on its own initiative any information in this system, except the names and home addresses of Veterans and their dependents, which is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal or regulatory in nature and whether arising by general or program statute or by regulation, rule or order issued pursuant thereto, to a Federal, State, local, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule or order. On its own initiative, VA may also disclose the names and addresses of Veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto. 3. VA may disclose information from this system of records to private attorneys representing Veterans rated incompetent in conjunction with issuance of Certificates of Incompetence, in the course of presenting evidence to a court, magistrate or administrative tribunal, in matters of guardianship, inquests and commitments; and to probation and parole officers in connection with court required duties. 4. VA may disclose information to a VA Federal fiduciary or a guardian ad litem in relation to his or her representation of a Veteran only to the extent necessary to fulfill the duties of the VA Federal fiduciary or the guardian ad litem. E:\FR\FM\14JYN1.SGM 14JYN1 asabaliauskas on DSK3SPTVN1PROD with NOTICES 45600 Federal Register / Vol. 81, No. 135 / Thursday, July 14, 2016 / Notices 5. VA may disclose information to attorneys, insurance companies, employers, third parties liable or potentially liable under health plan contracts, and to courts, boards, or commissions, but only to the extent necessary to aid VA in the preparation, presentation, and prosecution of claims authorized under Federal, State, or local laws, and regulations promulgated thereunder. 6. VA may disclose information in this system of records to the Department of Justice (DoJ), either on VA’s initiative or in response to DoJ’s request for the information, after either VA or DoJ determines that such information is relevant to DoJ’s representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that disclosure of the records to the DoJ is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. 7. VA may disclose information to the NARA and General Services Administration in records management inspections conducted under authority of title 44 U.S.C. 8. VA may disclose information for the purposes identified below to a third party, except consumer reporting agencies, in connection with any proceeding for the collection of an amount owed to the United States by virtue of a person’s participation in any benefit program administered by VA. Information may be disclosed under this routine use only to the extent that it is reasonably necessary for the following purposes: (a) To assist VA in the collection of costs of services provided individuals not entitled to such services, (b) to initiate civil or criminal legal actions for collecting amounts owed to the United States, and (c) for prosecuting individuals who willfully or fraudulently obtained or seek to obtain title 38 medical benefits. This disclosure is consistent with 38 U.S.C. 5701(b)(6). 9. VA may disclose information such as the name and address of a Veteran or other information as is reasonably necessary to identify such Veteran, and any information concerning the Veteran’s indebtedness to the United VerDate Sep<11>2014 19:33 Jul 13, 2016 Jkt 238001 States by virtue of the person’s participation in a benefits program administered by VA, to a consumer reporting agency for purposes of assisting in the collection of such indebtedness, provided that the provisions of 38 U.S.C. 5701(g)(4) have been met. 10. VA may disclose information to individuals, organizations, private or public agencies, or other entities with whom VA has a contract or agreement to perform such services as VA may deem practicable for the purposes of laws administered by VA in order for the individual or entity with whom VA has an agreement or contract to perform the services of the contract or agreement. This routine use includes disclosures by the individual or entity performing the service for VA to any secondary individual or entity to perform an activity that is necessary for the individual or entity with whom VA has a contract or agreement to provide the service to VA. 11. VA may disclose information from the record of an individual who is covered by a system of records to a member of Congress, or a staff person acting for the member, when the member or staff person requests the record on behalf of and at the written request of the individual. 12. VA may disclose information to other Federal agencies to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs. 13. VA may, on its own initiative, disclose any information or records to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that the integrity or confidentiality of information in the system of records has been compromised; (2) the Department has determined that as a result of the suspected or confirmed compromise, there is a risk of embarrassment or harm to the reputations of the record subjects, harm to economic or property interests, identity theft or fraud, or harm to the security, confidentiality, or integrity of this system or other systems or programs (whether maintained by the Department or another agency or entity) that rely upon the potentially compromised information; and (3) the disclosure is to agencies, entities, or persons whom VA determines are reasonably necessary to assist or carry out the Department’s efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. This routine use permits disclosure is required by the Memorandum from the Office of Management and Budget (M–07–16), PO 00000 Frm 00152 Fmt 4703 Sfmt 4703 dated May 22, 2007, of all systems of records of all Federal agencies. This routine use also permits disclosures by the Department to respond to a suspected or confirmed data breach, including the conduct of any risk analysis or provision of credit protection services as provided in 38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727. 14. Identifying information, including Social Security number of Veterans, spouse(s) of Veterans, and dependents of Veterans, may be disclosed to other Federal agencies for purposes of conducting computer matches, to obtain information to determine or verify eligibility of Veterans who are receiving VA medical care under relevant sections of title 38 U.S.C. 15. VA may disclose the name and VHIC image of a missing patient from a VA health care facility to local law enforcement for the purpose of assisting in locating the missing patient. POLICIES AND PRACTICES FOR STORAGE OF RECORDS: Records are maintained on magnetic tape, magnetic disk, optical disk and paper at the HEC, VHIC databases, VA medical centers, the 3M Cogent, Inc. databases, AITC, contract facilities, and at Federal Record Centers. In most cases, copies of back-up computer files are maintained at off-site locations and/ or agencies with whom VA has a contract or agreement to perform such services, as VA may deem practicable. POLICIES AND PRACTICES FOR RETRIEVABILITY OF RECORDS: Records are retrieved by name, and/or Social Security number, ICN, military service number, claim folder number, correspondence tracking number, internal record number, facility number, or other assigned identifiers of the individuals on whom they are maintained. POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS: Per RCS10–1 May of 2016; use disposition schedule 1250.1.b HEC Records, Optical Disks or Other Electronic Medium will be temporarily deleted when all phase of the Veteran’s appeal rights have ended (ten years after the income year for which the means test verification was conducted) (N1– 15–98–3, item 2). All Ad-Hoc reports created as part of this system shall be managed per NARA approved GRS 3.2 Items 030, Ad-Hoc reports. PHYSICAL, PROCEDURAL, AND ADMINISTRATIVE SAFEGUARDS: 1. Data transmissions between VA health care facilities, the HEC, the AITC, E:\FR\FM\14JYN1.SGM 14JYN1 asabaliauskas on DSK3SPTVN1PROD with NOTICES Federal Register / Vol. 81, No. 135 / Thursday, July 14, 2016 / Notices 3M Cogent, Inc. databases are accomplished using the Department’s secure wide area network. The software programs automatically flag records or events for transmission based upon functional requirements. Server jobs at each facility run continuously to check for data to be transmitted and/or incoming data which needs to be parsed to files on the receiving end. All messages containing data transmissions include header information that is used for validation purposes. The recipients of the messages are controlled and/or assigned to the mail group based on their role or position. Consistency checks in the software are used to validate the transmission and electronic acknowledgment messages are returned to the sending application. VA’s Office of Cyber Security has oversight responsibility for planning and implementing computer security. 2. Working spaces and record storage areas at HEC, AITC, and the VHIC processing locations are secured during all business hours, as well as during non-business hours. All entrance doors require an electronic pass card, for entry when unlocked, and entry doors are locked outside normal business hours. Visitors to the HEC are required to present identification, sign-in at a specified location, and are issued a pass card that restricts access to nonsensitive areas. Visitors to the HEC are escorted by staff through restricted areas. At the end of the visit, visitors are required to turn in their badge. The building is equipped with an intrusion alarm system, which is activated during non-business hours. This alarm system is monitored by a private security service vendor. The office space occupied by employees with access to Veteran records is secured with an electronic locking system, which requires a card for entry and exit of that office space. Access to the AITC is generally restricted to AITC staff, VA Central Office employees, custodial personnel, Federal Protective Service and authorized operational personnel through electronic locking devices. All other persons gaining access to the computer rooms are escorted. 3. Access to the VHIC contractor secured work areas is also controlled by electronic entry devices, which require a card and manual input for entry and exit of the production space. The VHIC contractor’s building is also equipped with an intrusion alarm system and a security service vendor monitors the system. 4. Contract employees are required to sign a Business Associates Agreement as required by the HIPAA Privacy Rule as acknowledgement of mandatory VerDate Sep<11>2014 19:33 Jul 13, 2016 Jkt 238001 provisions regarding the use and disclosure of protected health information. Employee and contractor access is deactivated when no longer required for official duties or upon termination of employment. Recurring monitors are in place to ensure compliance with nationally and locally established security measures. 5. Beneficiary’s enrollment and eligibility information is transmitted from the Enrollment and Eligibility information system to VA health care facilities over the Department’s secure computerized electronic communications system. 6. Only specific key staff have authorized access to the computer room. Programmer access to the information systems is restricted only to staff whose official duties require that level of access. 7. On-line data reside on magnetic media in the HEC and AITC computer rooms that are highly secured. Backup media are stored in the computer room within the same building and only information system staff and designated management staff have access to the computer room. On a weekly basis, backup media are stored in off-site storage by a media storage vendor. The vendor picks up and returns the media in a locked storage container; vendor personnel do not have key access to the locked container. The AITC has established a backup plan for the Enrollment system as part of a required Certification and Accreditation of the information system. 8. Any sensitive information that may be downloaded to personal computers or printed to hard copy format is provided the same level of security as the electronic records. All paper documents and informal notations containing sensitive data are shredded prior to disposal. All magnetic media (primary computer system) and personal computer disks are degaussed prior to disposal or release off-site for repair. The VHIC contractor destroys all Veteran identification data 30 days after the VHIC card has been mailed to the Veteran in accordance with contractual requirements. 9. All new HEC employees receive initial information security and privacy training; refresher training is provided to all employees on an annual basis. The HEC’s Information Security Officer performs an annual information security audit and periodic reviews to ensure security of the system. This annual audit includes the primary computer information system, the telecommunication system, and local area networks. Additionally, the Internal Revenue Service performs PO 00000 Frm 00153 Fmt 4703 Sfmt 4703 45601 periodic on-site inspections to ensure the appropriate level of security is maintained for Federal tax data. 10. Identification codes and codes used to access Enrollment and Eligibility information systems and records systems, as well as security profiles and possible security violations, are maintained on magnetic media in a secure environment at the Center. For contingency purposes, database backups on removable magnetic media are stored off-site by a licensed and bonded media storage vendor. 11. Contractors, subcontractors, and other users of the Enrollment and Eligibility Records systems will adhere to the same safeguards and security requirements to which HEC staff must comply. ACCESS: 1. In accordance with national and locally established data security procedures, access to enrollment information databases (HEC Legacy system and the Enrollment Database) is controlled by unique entry codes (access and verification codes). The user’s verification code is automatically set to be changed every 90 days. User access to data is controlled by role-based access as determined necessary by supervisory and information security staff as well as by management of option menus available to the employee. Determination of such access is based upon the role or position of the employee and functionality necessary to perform the employee’s assigned duties. 2. On an annual basis, employees are required to sign a computer access agreement acknowledging their understanding of confidentiality requirements. In addition, all employees receive annual privacy awareness and information security training. Access to electronic records is deactivated when no longer required for official duties. Recurring monitors are in place to ensure compliance with nationally and locally established security measures. 3. User access to the VHIC database utilizes the national NT network authentication infrastructure. The external VHIC vendor utilizes the OneVA Virtual Private Network secured connection for access to VHIC records. 4. Strict control measures are enforced to ensure that access to and disclosure from all records is limited to VA and the contractor’s employees whose official duties warrant access to those files. 5. As required by the provisions of the Health Insurance Portability and Accountability ACT (HIPAA) Privacy Rule, 45 CFR parts 160 and 164, access to records by HEC employees is E:\FR\FM\14JYN1.SGM 14JYN1 45602 Federal Register / Vol. 81, No. 135 / Thursday, July 14, 2016 / Notices classified under functional category ‘‘Eligibility and Enrollment Staff.’’ SYSTEM MANAGER(S) AND ADDRESSES: Official responsible for policies and procedures: Chief Business Officer (10NB), VA Central Office, 1722 I Street NW., Washington, DC 20420. Official maintaining the system: Director, Health Eligibility Center, 2957 Clairmont Road, Atlanta, GA 30329. RECORD ACCESS PROCEDURE: asabaliauskas on DSK3SPTVN1PROD with NOTICES Individuals seeking information regarding access to and contesting of VerDate Sep<11>2014 19:33 Jul 13, 2016 Jkt 238001 Enrollment and Eligibility Records may write to the Director, Health Eligibility Center, 2957 Clairmont Road, Atlanta, GA 30329. CONTESTING RECORD PROCEDURES: (See Record Access procedures above). record, should submit a written request or apply in person to the Health Eligibility Center. All inquiries must reasonably identify the records requested. Inquiries should include the individual’s full name, Social Security number, military service number, claim folder number and return address. NOTIFICATION PROCEDURE: Any individual who wishes to determine whether a record is being maintained in this system under his or her name or other personal identifier, or wants to determine the contents of such PO 00000 Frm 00154 Fmt 4703 Sfmt 9990 EXEMPTIONS PROMULGATED FOR THE SYSTEM: None. [FR Doc. 2016–16640 Filed 7–13–16; 8:45 am] BILLING CODE P E:\FR\FM\14JYN1.SGM 14JYN1

Agencies

[Federal Register Volume 81, Number 135 (Thursday, July 14, 2016)]
[Notices]
[Pages 45597-45602]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-16640]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of amendment of system of records.

-----------------------------------------------------------------------

SUMMARY: As required by the Privacy Act of 1974 (5 U.S.C. 552a(e)(4)), 
notice is hereby given that the Department of Veterans Affairs (VA) is 
amending the system of records entitled ``Enrollment and Eligibility 
Records-VA'' (147VA16) as set forth in 73 FR 15847. VA is amending the 
system of records by revising the System Number, System Location, 
Categories of Individuals Covered by the System, Category of Records in 
the System, Authority for Maintenance of the System, Purpose, Routine 
Uses of Records Maintained in the System, Storage, Safeguards, 
Retention and Disposal, and Record Source Category. VA is republishing 
the system notice in its entirety.

DATES: Comments on this new system of records must be received no later 
than August 15, 2016. If no public comment is received during the 
period allowed for comment or unless otherwise

[[Page 45598]]

published in the Federal Register by VA, the new system will become 
effective August 15, 2016.

ADDRESSES: Written comments concerning the amended system of records 
may be submitted through www.regulations.gov; by mail or hand-delivery 
to Director, Regulations Management (02REG), Department of Veterans 
Affairs, 810 Vermont Avenue NW., Room 1068, Washington, DC 20420; or by 
fax to (202) 273-9026. All comments received will be available for 
public inspection in the Office of Regulation Policy and Management, 
Room 1063B, between the hours of 8 a.m. and 4:30 p.m., Monday through 
Friday (except holidays). Please call (202) 461-4902 for an 
appointment. In addition, during the comment period, comments may be 
viewed online through the Federal Docket Management System (FDMS) at 
www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: Veterans Health Administration (VHA) 
Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue 
NW., Washington, DC 20420; telephone (704) 245-2492.

SUPPLEMENTARY INFORMATION: The System Number is changed from 147VA16 to 
147VA10NF1 to reflect the current organizational alignment.
    The System Location is being amended to remove Austin Automation 
Center (AAC) and replace it with Austin Information Technology Center 
(AITC); and 24VA19 is being removed and replaced with 24VA10P2. Also, 
Veteran Identification Card (VIC) National Card Management Directory 
(NCMD) located at the Hines, Illinois, and Silver Spring, Maryland VA 
facilities is being removed and replaced with Veteran Health 
Identification Card (VHIC) located at the AITC and 3M Cogent, Inc.
    The Category of Individuals Covered by the System is being amended 
to include Veterans and caregivers inquiring about, applying for and 
participating in the Program of Comprehensive Assistance for Family 
Caregivers and the Program of General Caregiver Support Services 
established by the Caregivers and Veterans Omnibus Health Services Act 
of 2010, Public Law 111-163, signed into law on May 5, 2010, as well as 
individuals who call into the VA's Caregiver Support Line.
    The Category of Records in the System is being amended to add 
Member ID number--which is Department of Defense's Electronic Data 
Interchange Personal Identifier (EDIPI), Plan ID, special awards and 
Branch of Service. The Caregiver database that tracks these program 
participants includes, but is not limited to: The Veteran and/or 
caregiver(s) name, Social Security number, gender, age, date of birth, 
address, phone number, and email address; VA eligibility related 
information, such as service connection, DD 214, ``Certification of 
Release or Discharge from Active Duty'', Line of Duty documentation, 
and stipend payment information; written correspondence; VA Form 10-
10CG, ``Application for Comprehensive Assistance for Family Caregiver 
Program''; and correspondence with Caregiver Support Line, including 
referral information and VA staff remarks.
    The Authority for Maintenance of the System is being amended to add 
Title 28 U.S.C. and 38 U.S.C. 1720G.
    The Purpose is being updated to include VA's Caregiver Support 
Program and providing enrolled Veterans with customized Veterans Health 
Benefits Handbooks.
    The Routine Uses of Records Maintained in the System has been 
amended by adding Routine Use #15 which states, ``VA may disclose the 
name and Veteran Health Identification Card image of a missing patient 
from a VA health care facility to local law enforcement for the purpose 
of assisting in locating the missing patient.'' VA needs to locate 
missing patients quickly for their safety and enlisting the assistance 
of local law enforcement is crucial to being able to find patients as 
quick as possible.
    The Storage is being amended to remove NCMD databases and replace 
it with 3M Cogent, Inc. databases.
    The Safeguard section is being amended to remove Silver Spring and 
Hines databases and replace it with 3M Cogent, Inc. AAC is being 
replaced with AITC and VIC is being replaced with VHIC.
    The Retention and Disposal is being amended to remove the language 
that Regardless of the record medium, all records are disposed of in 
accordance with the records retention standards approved by the 
Archivist of the United States, NARA, and published in the VHA Records 
Control Schedule 10-1. This section is being replaced with per Records 
Control Schedule (RCS) 10-1 May of 2016; Use disposition schedule 
1250.1.b Health Eligibility Center (HEC) Records, Optical Disks or 
Other Electronic Medium will be temporarily deleted when all phase of 
the Veteran's appeal rights have ended (ten years after the income year 
for which the means test verification was conducted) (N1-15-98-3, item 
2). All Ad-Hoc reports created as part of this system shall be managed 
per National Archives and Records Administration (NARA) approved 
General Record Schedule (GRS) 3.2 Items 030, Ad-Hoc reports.
    The Record Source Category is being amended to replace 24VA19 with 
24VA10P2; 79VA19 with 79VA10P2; and 89VA16 with 89VA10NB.
    The Report of Intent to Amend a System of Records Notice and an 
advance copy of the system notice have been sent to the appropriate 
Congressional committees and to the Director of Office of Management 
and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and 
guidelines issued by OMB (65 FR 77677), December 12, 2000.

Signing Authority

    The Secretary of Veterans Affairs, or designee, approved this 
document and authorized the undersigned to sign and submit the document 
to the Office of the Federal Register for publication electronically as 
an official document of the Department of Veterans Affairs. Gina S. 
Farrisee, Deputy Chief of Staff, approved this document on June 30, 
2016, for publication.

    Dated: July 6, 2016.
Kathleen M. Manwell,
Program Analyst, VA Privacy Service, Office of Privacy and Records 
Management, Department of Veterans Affairs.
147VA10NF1

SYSTEM NAME:
    Enrollment and Eligibility Records-VA.

SYSTEM LOCATION:
    Records are maintained at the Health Eligibility Center (HEC) in 
Atlanta, Georgia; the Austin Information Technology Center (AITC) in 
Austin, Texas; at each VA health care facility as described in the VA 
system of records entitled ``Patient Medical Records-VA'' (24VA10P2); 
and at the Veteran Health Identification Card (VHIC) located at the 
AITC and 3M Cogent, Inc. Electronic and magnetic records are also 
stored at contracted facilities for storage and back-up purposes.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 28 U.S.C., title 38, U.S.C., sections 501(a), 1705, 1710, 
1720G, 1722, and 5317.

PURPOSE(S):
    Information in this system of records is used to establish and 
maintain applicants' records necessary to support the delivery of 
health care benefits; establish applicants' eligibility for VA health 
care benefits; VA's Caregiver Support Program; operate an annual 
enrollment system; provide eligible Veterans with an identification 
card;

[[Page 45599]]

collect from an applicant's health insurance provider for care of their 
nonservice-connected conditions; provide educational materials related 
to VA health care benefits, such as the customized Veterans Health 
Benefits Handbook, respond to Veteran and non-Veteran inquiries related 
to VA health care benefits, and compile management reports.

CATEGORIES OF INDIVIDUALS COVERED BY THIS SYSTEM:
    The records contain information on individuals who have applied for 
or who have received VA health care benefits under title 38 U.S.C., 
chapter 17. The records also include Veterans and caregivers inquiring 
about, applying for and participating in the Program of Comprehensive 
Assistance for Family Caregivers and the Program of General Caregiver 
Support Services established by the Caregivers and Veterans Omnibus 
Health Services Act of 2010, Public Law 111-163, signed into law on May 
5, 2010, as well as individuals who call into VA's Caregiver Support 
Line, Veterans, their spouses and dependents as provided for in other 
provisions of title 38 U.S.C.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The categories of records in this system may include: Medical 
benefit applications; eligibility and enrollment information, including 
information obtained from Veterans Benefits Administration's automated 
records, such as the ``Compensation, Pension, Education and 
Rehabilitation Records-VA'' (58VA21/22), and VHIC information including 
applicant's name, address(es), date of birth, Member ID number--which 
is Department of Defense's Electronic Data Interchange Personal 
Identifier (EDIPI), Plan ID, special awards and Branch of Service, 
Internal Control Number (ICN), applicant's image, preferred facility 
and facility requesting a VHIC, names, addresses and phone numbers of 
persons to contact in the event of a medical emergency, family 
information including spouse and dependent(s) name(s), address(es) and 
Social Security number; applicant and spouse's employment information, 
including occupation, employer(s) name(s) and address(es); financial 
information concerning the applicant and the applicant's spouse 
including family income, assets, expenses, debts; third party health 
plan contract information, including health insurance carrier name and 
address, policy number and time period covered by policy; facility 
location(s) where treatment is provided; type of treatment provided 
(i.e., inpatient or outpatient); information about the applicant's 
military service (e.g., dates of active duty service, dates and branch 
of service, and character of discharge, combat service dates and 
locations, military decorations, POW status and military service 
experience including exposures to toxic substances); information about 
the applicant's eligibility for VA compensation or pension benefits, 
and the applicant's enrollment status and enrollment priority group. 
These records also include, but are not limited to, individual 
correspondence provided to the HEC by Veterans, their family members 
and Veterans' representatives, such as Veteran Service Officers (VSO); 
copies of death certificates; DD Form 214, ``Certificate of Release or 
Discharge from Active Duty''; disability award letters; VA and other 
pension applications; VA Form 10-10EZ, ``Application for Health 
Benefits''; VA Form 10-10EZR, ``Health Benefits Renewal''; VA Form 10-
10EC, ``Application for Extended Care Services''; and workers 
compensation forms. The Caregiver database that tracks these program 
participants includes, but is not limited to: the Veteran and/or 
caregiver(s) name, Social Security number, gender, age, date of birth, 
address, phone number, and email address; VA eligibility related 
information, such as service connection, DD 214, ``Certification of 
Release or Discharge from Active Duty'', Line of Duty documentation, 
and stipend payment information; written correspondence; VA Form 10-
10CG, ``Application for Comprehensive Assistance for Family Caregiver 
Program''; and correspondence with Caregiver Support Line, including 
referral information and VA staff remarks.

RECORD SOURCE CATEGORIES:
    Information in the systems of records may be provided by the 
applicant; applicant's spouse or other family members or accredited 
representatives or friends; health insurance carriers; other Federal 
agencies; ``Patient Medical Records-VA'' (24VA10P2) system of records; 
``Veterans Health Information System and Technology Architecture 
(VistA) Records-VA'' (79VA10P2); ``Income Verification Records-VA'' 
(89VA10NB); and Veterans Benefits Administration automated record 
systems, including ``Veterans and Beneficiaries Identification and 
Records Location Subsystem-VA'' (38VA23) and the ``Compensation, 
Pension, Education and Rehabilitation Records-VA'' (58VA21/22).

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    To the extent that records contained in the system include 
information protected by 45 CFR parts 160 and 164 (i.e., individually 
identifiable health information), that information cannot be disclosed 
under a routine use unless there is also specific regulatory authority 
in 45 CFR parts 160 and 164 permitting disclosure.
    1. VA may disclose information from this system of records, as 
deemed necessary and proper, to named individuals serving as accredited 
service organization representatives and other individuals named as 
approved agents or attorneys for a documented purpose and period of 
time, to aid beneficiaries in the preparation and presentation of their 
cases during the verification and/or due process procedures and in the 
presentation and prosecution of claims under laws administered by VA.
    2. VA may disclose on its own initiative any information in this 
system, except the names and home addresses of Veterans and their 
dependents, which is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal or regulatory in nature and 
whether arising by general or program statute or by regulation, rule or 
order issued pursuant thereto, to a Federal, State, local, or foreign 
agency charged with the responsibility of investigating or prosecuting 
such violation, or charged with enforcing or implementing the statute, 
regulation, rule or order. On its own initiative, VA may also disclose 
the names and addresses of Veterans and their dependents to a Federal 
agency charged with the responsibility of investigating or prosecuting 
civil, criminal or regulatory violations of law, or charged with 
enforcing or implementing the statute, regulation, rule or order issued 
pursuant thereto.
    3. VA may disclose information from this system of records to 
private attorneys representing Veterans rated incompetent in 
conjunction with issuance of Certificates of Incompetence, in the 
course of presenting evidence to a court, magistrate or administrative 
tribunal, in matters of guardianship, inquests and commitments; and to 
probation and parole officers in connection with court required duties.
    4. VA may disclose information to a VA Federal fiduciary or a 
guardian ad litem in relation to his or her representation of a Veteran 
only to the extent necessary to fulfill the duties of the VA Federal 
fiduciary or the guardian ad litem.

[[Page 45600]]

    5. VA may disclose information to attorneys, insurance companies, 
employers, third parties liable or potentially liable under health plan 
contracts, and to courts, boards, or commissions, but only to the 
extent necessary to aid VA in the preparation, presentation, and 
prosecution of claims authorized under Federal, State, or local laws, 
and regulations promulgated thereunder.
    6. VA may disclose information in this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that disclosure of the records to the 
DoJ is a use of the information contained in the records that is 
compatible with the purpose for which VA collected the records. VA, on 
its own initiative, may disclose records in this system of records in 
legal proceedings before a court or administrative body after 
determining that the disclosure of the records to the court or 
administrative body is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records.
    7. VA may disclose information to the NARA and General Services 
Administration in records management inspections conducted under 
authority of title 44 U.S.C.
    8. VA may disclose information for the purposes identified below to 
a third party, except consumer reporting agencies, in connection with 
any proceeding for the collection of an amount owed to the United 
States by virtue of a person's participation in any benefit program 
administered by VA. Information may be disclosed under this routine use 
only to the extent that it is reasonably necessary for the following 
purposes: (a) To assist VA in the collection of costs of services 
provided individuals not entitled to such services, (b) to initiate 
civil or criminal legal actions for collecting amounts owed to the 
United States, and (c) for prosecuting individuals who willfully or 
fraudulently obtained or seek to obtain title 38 medical benefits. This 
disclosure is consistent with 38 U.S.C. 5701(b)(6).
    9. VA may disclose information such as the name and address of a 
Veteran or other information as is reasonably necessary to identify 
such Veteran, and any information concerning the Veteran's indebtedness 
to the United States by virtue of the person's participation in a 
benefits program administered by VA, to a consumer reporting agency for 
purposes of assisting in the collection of such indebtedness, provided 
that the provisions of 38 U.S.C. 5701(g)(4) have been met.
    10. VA may disclose information to individuals, organizations, 
private or public agencies, or other entities with whom VA has a 
contract or agreement to perform such services as VA may deem 
practicable for the purposes of laws administered by VA in order for 
the individual or entity with whom VA has an agreement or contract to 
perform the services of the contract or agreement. This routine use 
includes disclosures by the individual or entity performing the service 
for VA to any secondary individual or entity to perform an activity 
that is necessary for the individual or entity with whom VA has a 
contract or agreement to provide the service to VA.
    11. VA may disclose information from the record of an individual 
who is covered by a system of records to a member of Congress, or a 
staff person acting for the member, when the member or staff person 
requests the record on behalf of and at the written request of the 
individual.
    12. VA may disclose information to other Federal agencies to assist 
such agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    13. VA may, on its own initiative, disclose any information or 
records to appropriate agencies, entities, and persons when (1) VA 
suspects or has confirmed that the integrity or confidentiality of 
information in the system of records has been compromised; (2) the 
Department has determined that as a result of the suspected or 
confirmed compromise, there is a risk of embarrassment or harm to the 
reputations of the record subjects, harm to economic or property 
interests, identity theft or fraud, or harm to the security, 
confidentiality, or integrity of this system or other systems or 
programs (whether maintained by the Department or another agency or 
entity) that rely upon the potentially compromised information; and (3) 
the disclosure is to agencies, entities, or persons whom VA determines 
are reasonably necessary to assist or carry out the Department's 
efforts to respond to the suspected or confirmed compromise and 
prevent, minimize, or remedy such harm. This routine use permits 
disclosure is required by the Memorandum from the Office of Management 
and Budget (M-07-16), dated May 22, 2007, of all systems of records of 
all Federal agencies. This routine use also permits disclosures by the 
Department to respond to a suspected or confirmed data breach, 
including the conduct of any risk analysis or provision of credit 
protection services as provided in 38 U.S.C. 5724, as the terms are 
defined in 38 U.S.C. 5727.
    14. Identifying information, including Social Security number of 
Veterans, spouse(s) of Veterans, and dependents of Veterans, may be 
disclosed to other Federal agencies for purposes of conducting computer 
matches, to obtain information to determine or verify eligibility of 
Veterans who are receiving VA medical care under relevant sections of 
title 38 U.S.C.
    15. VA may disclose the name and VHIC image of a missing patient 
from a VA health care facility to local law enforcement for the purpose 
of assisting in locating the missing patient.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are maintained on magnetic tape, magnetic disk, optical 
disk and paper at the HEC, VHIC databases, VA medical centers, the 3M 
Cogent, Inc. databases, AITC, contract facilities, and at Federal 
Record Centers. In most cases, copies of back-up computer files are 
maintained at off-site locations and/or agencies with whom VA has a 
contract or agreement to perform such services, as VA may deem 
practicable.

POLICIES AND PRACTICES FOR RETRIEVABILITY OF RECORDS:
    Records are retrieved by name, and/or Social Security number, ICN, 
military service number, claim folder number, correspondence tracking 
number, internal record number, facility number, or other assigned 
identifiers of the individuals on whom they are maintained.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Per RCS10-1 May of 2016; use disposition schedule 1250.1.b HEC 
Records, Optical Disks or Other Electronic Medium will be temporarily 
deleted when all phase of the Veteran's appeal rights have ended (ten 
years after the income year for which the means test verification was 
conducted) (N1-15-98-3, item 2). All Ad-Hoc reports created as part of 
this system shall be managed per NARA approved GRS 3.2 Items 030, Ad-
Hoc reports.

PHYSICAL, PROCEDURAL, AND ADMINISTRATIVE SAFEGUARDS:
    1. Data transmissions between VA health care facilities, the HEC, 
the AITC,

[[Page 45601]]

3M Cogent, Inc. databases are accomplished using the Department's 
secure wide area network. The software programs automatically flag 
records or events for transmission based upon functional requirements. 
Server jobs at each facility run continuously to check for data to be 
transmitted and/or incoming data which needs to be parsed to files on 
the receiving end. All messages containing data transmissions include 
header information that is used for validation purposes. The recipients 
of the messages are controlled and/or assigned to the mail group based 
on their role or position. Consistency checks in the software are used 
to validate the transmission and electronic acknowledgment messages are 
returned to the sending application. VA's Office of Cyber Security has 
oversight responsibility for planning and implementing computer 
security.
    2. Working spaces and record storage areas at HEC, AITC, and the 
VHIC processing locations are secured during all business hours, as 
well as during non-business hours. All entrance doors require an 
electronic pass card, for entry when unlocked, and entry doors are 
locked outside normal business hours. Visitors to the HEC are required 
to present identification, sign-in at a specified location, and are 
issued a pass card that restricts access to non-sensitive areas. 
Visitors to the HEC are escorted by staff through restricted areas. At 
the end of the visit, visitors are required to turn in their badge. The 
building is equipped with an intrusion alarm system, which is activated 
during non-business hours. This alarm system is monitored by a private 
security service vendor. The office space occupied by employees with 
access to Veteran records is secured with an electronic locking system, 
which requires a card for entry and exit of that office space. Access 
to the AITC is generally restricted to AITC staff, VA Central Office 
employees, custodial personnel, Federal Protective Service and 
authorized operational personnel through electronic locking devices. 
All other persons gaining access to the computer rooms are escorted.
    3. Access to the VHIC contractor secured work areas is also 
controlled by electronic entry devices, which require a card and manual 
input for entry and exit of the production space. The VHIC contractor's 
building is also equipped with an intrusion alarm system and a security 
service vendor monitors the system.
    4. Contract employees are required to sign a Business Associates 
Agreement as required by the HIPAA Privacy Rule as acknowledgement of 
mandatory provisions regarding the use and disclosure of protected 
health information. Employee and contractor access is deactivated when 
no longer required for official duties or upon termination of 
employment. Recurring monitors are in place to ensure compliance with 
nationally and locally established security measures.
    5. Beneficiary's enrollment and eligibility information is 
transmitted from the Enrollment and Eligibility information system to 
VA health care facilities over the Department's secure computerized 
electronic communications system.
    6. Only specific key staff have authorized access to the computer 
room. Programmer access to the information systems is restricted only 
to staff whose official duties require that level of access.
    7. On-line data reside on magnetic media in the HEC and AITC 
computer rooms that are highly secured. Backup media are stored in the 
computer room within the same building and only information system 
staff and designated management staff have access to the computer room. 
On a weekly basis, backup media are stored in off-site storage by a 
media storage vendor. The vendor picks up and returns the media in a 
locked storage container; vendor personnel do not have key access to 
the locked container. The AITC has established a backup plan for the 
Enrollment system as part of a required Certification and Accreditation 
of the information system.
    8. Any sensitive information that may be downloaded to personal 
computers or printed to hard copy format is provided the same level of 
security as the electronic records. All paper documents and informal 
notations containing sensitive data are shredded prior to disposal. All 
magnetic media (primary computer system) and personal computer disks 
are degaussed prior to disposal or release off-site for repair. The 
VHIC contractor destroys all Veteran identification data 30 days after 
the VHIC card has been mailed to the Veteran in accordance with 
contractual requirements.
    9. All new HEC employees receive initial information security and 
privacy training; refresher training is provided to all employees on an 
annual basis. The HEC's Information Security Officer performs an annual 
information security audit and periodic reviews to ensure security of 
the system. This annual audit includes the primary computer information 
system, the telecommunication system, and local area networks. 
Additionally, the Internal Revenue Service performs periodic on-site 
inspections to ensure the appropriate level of security is maintained 
for Federal tax data.
    10. Identification codes and codes used to access Enrollment and 
Eligibility information systems and records systems, as well as 
security profiles and possible security violations, are maintained on 
magnetic media in a secure environment at the Center. For contingency 
purposes, database backups on removable magnetic media are stored off-
site by a licensed and bonded media storage vendor.
    11. Contractors, subcontractors, and other users of the Enrollment 
and Eligibility Records systems will adhere to the same safeguards and 
security requirements to which HEC staff must comply.

ACCESS:
    1. In accordance with national and locally established data 
security procedures, access to enrollment information databases (HEC 
Legacy system and the Enrollment Database) is controlled by unique 
entry codes (access and verification codes). The user's verification 
code is automatically set to be changed every 90 days. User access to 
data is controlled by role-based access as determined necessary by 
supervisory and information security staff as well as by management of 
option menus available to the employee. Determination of such access is 
based upon the role or position of the employee and functionality 
necessary to perform the employee's assigned duties.
    2. On an annual basis, employees are required to sign a computer 
access agreement acknowledging their understanding of confidentiality 
requirements. In addition, all employees receive annual privacy 
awareness and information security training. Access to electronic 
records is deactivated when no longer required for official duties. 
Recurring monitors are in place to ensure compliance with nationally 
and locally established security measures.
    3. User access to the VHIC database utilizes the national NT 
network authentication infrastructure. The external VHIC vendor 
utilizes the One-VA Virtual Private Network secured connection for 
access to VHIC records.
    4. Strict control measures are enforced to ensure that access to 
and disclosure from all records is limited to VA and the contractor's 
employees whose official duties warrant access to those files.
    5. As required by the provisions of the Health Insurance 
Portability and Accountability ACT (HIPAA) Privacy Rule, 45 CFR parts 
160 and 164, access to records by HEC employees is

[[Page 45602]]

classified under functional category ``Eligibility and Enrollment 
Staff.''

SYSTEM MANAGER(S) AND ADDRESSES:
    Official responsible for policies and procedures: Chief Business 
Officer (10NB), VA Central Office, 1722 I Street NW., Washington, DC 
20420. Official maintaining the system: Director, Health Eligibility 
Center, 2957 Clairmont Road, Atlanta, GA 30329.

RECORD ACCESS PROCEDURE:
    Individuals seeking information regarding access to and contesting 
of Enrollment and Eligibility Records may write to the Director, Health 
Eligibility Center, 2957 Clairmont Road, Atlanta, GA 30329.

CONTESTING RECORD PROCEDURES:
    (See Record Access procedures above).

NOTIFICATION PROCEDURE:
    Any individual who wishes to determine whether a record is being 
maintained in this system under his or her name or other personal 
identifier, or wants to determine the contents of such record, should 
submit a written request or apply in person to the Health Eligibility 
Center. All inquiries must reasonably identify the records requested. 
Inquiries should include the individual's full name, Social Security 
number, military service number, claim folder number and return 
address.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

[FR Doc. 2016-16640 Filed 7-13-16; 8:45 am]
BILLING CODE P