Privacy Act of 1974; System of Records, 6094-6100 [2018-02760]

Agencies

• DEPARTMENT OF VETERANS AFFAIRS

[Federal Register Volume 83, Number 29 (Monday, February 12, 2018)]
[Notices]
[Pages 6094-6100]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-02760]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Veterans Health Administration (VHA).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: As required by the Privacy Act of 1974, notice is hereby given 
that the Department of Veterans Affairs (VA) is amending the system of 
records entitled, ``National Patient Databases-VA'' (121VA10P2) as set 
forth in 79 FR 8245. VA is amending the system of records by revising 
the System Number, Purpose, Routine Uses of Records Maintained in the 
System, Record Source Category, and Appendix. VA is republishing the 
system notice in its entirety.

DATES: Comments on the amendment of this system of records must be 
received no later than March 14, 2018. If no public comment is received 
during the period allowed for comment or unless otherwise published in 
the Federal Register by VA, the amended system will become effective 
March 14, 2018.

ADDRESSES: Written comments may be submitted through 
www.Regulations.gov; by mail or hand-delivery to Director, Regulation 
Policy and Management (00REG), Department of Veterans Affairs, 810 
Vermont Ave. NW, Room 1064, Washington, DC 20420; or by fax to (202) 
273-9026 (not a toll-free number). Comments should indicate that they 
are submitted in response to ``National Patient Databases-VA''. Copies 
of comments received will be available for public inspection in the 
Office of Regulation Policy and Management, Room 1063B, between the 
hours of 8:00 a.m. and 4:30 p.m., Monday through Friday (except 
holidays). Please call (202) 461-4902 for an appointment. (This is not 
a toll-free number.) In addition, comments may be viewed online at 
www.Regulations.gov.

FOR FURTHER INFORMATION CONTACT: Veterans Health Administration (VHA) 
Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue NW, 
Washington, DC 20420; telephone (704) 245-2492. (This is not a toll-
free number.)

SUPPLEMENTARY INFORMATION: The System Number is being changed from 
120VA10P2 to 121VA10A7 to reflect the current organizational alignment.
    The Purpose has been amended to replace Healthcare Associated 
Infections & Influenza Surveillance System (HAIISS) with National 
Center for Patient Safety Public Health System.
    The Routine Uses of Records Maintained in the System has been 
amended by adding language to Routine Use #21 which states, ``a. 
Effective Response. A federal agency's ability to respond quickly and 
effectively in the event of a breach of federal data is critical to its 
efforts to prevent or minimize any consequent harm. An effective 
response necessitates disclosure of information regarding the breach to 
those individuals affected by it, as well as to persons and entities in 
a position to cooperate, either by assisting in notification to 
affected individuals or playing a role in preventing or minimizing 
harms from the breach. b. Disclosure of Information. Often, the 
information to be disclosed to such persons and entities is maintained 
by federal agencies and is subject to the Privacy Act (5 U.S.C. 552a). 
The Privacy Act prohibits the disclosure of any record in a system of 
records by any means of communication to any person or agency absent 
the written consent of the subject individual, unless the disclosure 
falls within one of twelve statutory exceptions. This routine use is 
required in order to ensure an agency is in the best position to 
respond in a timely and effective manner, in accordance with 5 U.S.C. 
552a(b)(3) of the Privacy Act, agencies should publish a routine use 
for appropriate systems specifically applying to the disclosure of 
information in connection with response and remedial efforts in the 
event of a data breach.''
    Adding Routine Use #27 which states, ``Disclosure of Veteran 
identifiers and demographic information (e.g., name, social security 
number (SSN), address, date of birth) may be made to an organization 
with whom VA has a documented partnership, arrangement or agreement 
(e.g., Health Information Exchange (HIE), Health Information Service 
Provider (HISP) Direct, CommonWell Health Alliance network), for the 
purpose of identifying and correlating patients.'' VA needs this 
ability to share demographic information for correlation and 
identification purposes.
    Routine use #28 is being added to state, ``VA may disclose relevant 
health care information to the Centers for Disease Control and 
Prevention (CDC) and/or their designee in response to its request or at 
the initiation of VA, in connection with disease-tracking, patient 
outcomes, bio-surveillance, or other health information required for 
program accountability.'' VA needs the ability to conduct disease 
tracking to impact patient outcomes, respond to public health threats, 
and to contribute significantly to the CDC's ability to conduct and 
monitor public health surveillance.
    Routine use #29 is being added to state, ``VA may, on its own 
initiative, disclose information from this system to another Federal 
agency or Federal entity, when VA determines that information from this 
system of records is reasonably necessary to assist the recipient 
agency or entity in (1) responding to a suspected or confirmed breach 
or (2) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach. VA needs this 
routine use for the data breach response and remedial efforts with 
another Federal agency.
    Routine use #30 is being added to state, ``VA may disclose relevant 
healthcare and demographic information to health and welfare agencies, 
housing resources, and community providers, consistent with good 
medical-ethical practices, for Veterans assessed by or engaged in VA 
homeless programs for purposes of coordinating care, expediting access 
to housing, providing medical and related services, participating in 
coordinated entry processes, reducing Veteran homelessness, identifying 
homeless individuals in need of immediate assistance and ensuring 
program accountability by assigning and tracking responsibility for 
urgently required care.'' VA needs this routine use to effectively and 
efficiently collaborate with partner agencies by sharing information 
documented in the Homeless Operations Management and Evaluation System 
(HOMES) for the explicit purpose of improving timeliness and access to 
necessary services for Veterans in the homeless continuum.
    The Record Source Category is being amended to replace 89VA16 with

[[Page 6095]]

89VA10NB to reflect the current organizational alignment.
    Appendix 4 has been amended by:
    1. Removing the ``Oncology Tumor Registry (ONC)'' which is now 
incorporated in the VA Central Cancer Registry (VACCR); therefore, ONC 
is no longer needed as a separate registry.
    2. Amending the Veterans Affairs Surgical Quality Improvement 
Program (VASQIP) address is being amended to replace VA National 
Surgery Office (10NC2), 810 Vermont Avenue NW, Washington, DC 20420 
with Region 06 Office of Information and Technology (OI&T) Data Center, 
Denver, CO 80220.
    3. Replacing HAIISS Data Warehouse is being replaced with National 
Center for Patient Safety Public Health System (NCPSPHS) due to the 
HAISS being discontinued, therefore adding NCPSPHS represented a change 
of mission as well as data content.
    4. ``Public Health Reference Network'' is being replaced with 
NCPSPHS due to the information technology (IT) system being 
discontinued and a name change to better describe the mission of the IT 
system within VHA.
    5. Adding the ``Inpatient Evaluation Center (IPEC) Legionella Case 
Report Module'', which are located at the Austin Information Technology 
Center, 1615 Woodward Street, Austin, TX 78772. IPEC is being added as 
system to record aggregate data about hospitalized patients, the 
Legionnaire Module was added to record individual patient data with a 
patient identifier used to track patients diagnosed with Legionnaire's 
Disease.
    6. Adding the ``Veterans Integrated Registry Platform'', which a 
new health registry platform designed to host VHA health registries.
    The Report of Intent to Amend a System of Records Notice and an 
advance copy of the system notice have been sent to the appropriate 
Congressional committees and to the Director of Office of Management 
and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and 
guidelines issued by OMB (65 FR 77677),
    Signing Authority: The Secretary of Veterans Affairs, or designee, 
approved this document and authorized the undersigned to sign and 
submit the document to the Office of the Federal Register for 
publication electronically as an official document of the Department of 
Veterans Affairs. Gina S. Farrisee, Deputy Chief of Staff, approved 
this document on July 24, 2017, for publication.

    Dated: February 7, 2018.
Kathleen M. Manwell,
Program Analyst, VA Privacy Service, Office of Privacy Information and 
Identity Protection, Office of Quality, Privacy and Risk, Office of 
Information and Technology, Department of Veterans Affairs.
SYSTEM NAME: National Patient Databases-VA (121VA10A7)

SECURITY CLASSIFICATION: None.
SYSTEM LOCATION:
    Records are maintained at VA medical centers, VA data processing 
centers, Veterans Integrated Service Networks (VISN), and Office of 
Information field offices. Address location for each VA national 
patient database is listed in VA Appendix 4 at the end of this 
document.

SYSTEM MANAGER(S):
    Officials responsible for policies and procedures: Assistant Deputy 
Under Secretary for Informatics and Information Governance (10P2), 
Department of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 
20420. Officials maintaining this system of records: Director, National 
Data Systems (10P2C), Austin Information Technology Center, 1615 
Woodward Street, Austin, Texas 78772.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 38 United States Code Section 501.

PURPOSE(S) OF THE SYSTEM:
    The records and information may be used for statistical analysis to 
produce various management, workload tracking, and follow-up reports; 
to track and evaluate the ordering and delivery of equipment, services, 
and patient care; for the planning, distribution, and utilization of 
resources; to monitor the performance of VISNs; and to allocate 
clinical and administrative support to patient medical care. The data 
may be used for VA's extensive research programs in accordance with VA 
policy. In addition, the data may be used to assist in workload 
allocation for patient treatment services including provider panel 
management, nursing care, clinic appointments, surgery, prescription 
processing, diagnostic and therapeutic procedures; to plan and schedule 
training activities for employees; for audits, reviews, and 
investigations conducted by the network directors office and VA Central 
Office; for quality assurance audits, reviews, and investigations; for 
law enforcement investigations; and for personnel management, 
evaluation and employee ratings, and performance evaluations. Survey 
data will be collected for the purpose of measuring and monitoring 
national, VISN, and facility-level performance on the Veterans Health 
Administration's (VHA) Veteran Health Care Service Standards (VHSS) 
pursuant to Executive Order 12862 and VHA Customer Service Standards 
Directive. The VHSS are designed to measure levels of patient 
satisfaction in areas that patients have defined as important in 
receiving quality, patient-centered health care. Results of the survey 
data analysis are shared throughout the VHA system. The External Peer 
Review Program (EPRP) data are collected in order to provide medical 
centers and outpatient clinics with diagnosis and procedure-specific 
quality of care information. EPRP is a contracted review of care, 
specifically designated to collect data to be used to improve the 
quality of care. The Veteran Homeless records and information will be 
used for case management in addition to statistical analysis to produce 
various management, workload tracking, and follow-up reports; to track 
and evaluate the goal of ending Veteran homelessness. National Center 
for Patient Safety Public Health System data will be available to VHA 
clinicians to use for the monitoring of health care-associated 
infections and for the transmittal of data to state/local health 
departments for biosurveillance purposes.

CATEGORIES OF INDIVIDUALS COVERED BY THIS SYSTEM:
    The records contain information for all individuals (1) Receiving 
health care from VHA, and (2) Providing the health care. Individuals 
encompass Veterans and their immediate family members, members of the 
Armed Services, current and former employees, trainees, contractors, 
subcontractors, consultants, volunteers, and other individuals working 
collaboratively with VA.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records may include information and health information related 
to:
    1. Patient medical record abstract information including, but not 
limited to, information from Patient Medical Record--VA (24VA10P2).
    2. Identifying information (e.g., name, birth date, death date, 
admission date, discharge date, gender, social security number, 
taxpayer identification number); address information (e.g., home and/or 
mailing address, home telephone number, emergency contact information 
such as name, address, telephone number, and relationship); prosthetic 
and sensory aid serial numbers; medical record numbers; integration 
control numbers; information related to medical

[[Page 6096]]

examination or treatment (e.g., location of VA medical facility 
providing examination or treatment, treatment dates, medical conditions 
treated or noted on examination); information related to military 
service and status;
    3. Medical benefit and eligibility information;
    4. Patient workload data such as admissions, discharges, and 
outpatient visits; resource utilization such as laboratory tests, x-
rays;
    5. Patient Satisfaction Survey Data which include questions and 
responses;
    6. EPRP data capture;
    7. Online Data Collection system supported by Northeast Program 
Evaluation Center and VHA Support Service Center to include electronic 
information from all Veteran homeless programs and external sources; 
and
    8. Clinically oriented information associated with My HealtheVet 
such as secure messages.

RECORD SOURCE CATEGORIES:
    Information in this system of records is provided by Veterans, VA 
employees, VA computer systems, Veterans Health Information Systems and 
Technology Architecture, VA medical centers, VA Health Eligibility 
Center, VA program offices, VISNs, VA Austin Automation Center, the 
Food and Drug Administration (FDA), Department of Defense (DOD), 
Department of Housing and Urban Development (HUD), Survey of Healthcare 
Experiences of Patients, EPRP, and the following Systems Of Records: 
`Patient Medical Records--VA' (24VA10P2), `National Prosthetics Patient 
Database--VA' (33VA113), `Healthcare Eligibility Records--VA' 
(89VA10NB), VA Veterans Benefits Administration automated record 
systems (including the Veterans and Beneficiaries Identification and 
Records Location Subsystem--VA (38VA23)), and subsequent iterations of 
those systems of records.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    To the extent that records contained in the system include 
information protected by 38 U.S.C. 7332, i.e., medical treatment 
information related to drug abuse, alcoholism or alcohol abuse, sickle 
cell anemia or infection with the human immunodeficiency virus; 
information protected by 38 U.S.C. 5705, i.e., quality assurance 
records; or information protected by 45 CFR Parts 160 and 164, i.e., 
individually identifiable health information, such information cannot 
be disclosed under a routine use unless there is also specific 
statutory authority permitting the disclosure. VA may disclose 
protected health information pursuant to the following routine uses 
where required or permitted by law.
    1. VA may disclose on its own initiative any information in this 
system, except the names and home addresses of Veterans and their 
dependents, that is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal, or regulatory in nature and 
whether arising by general or program statute or by regulation, rule or 
order issued pursuant thereto, to a Federal, state, local, tribal, or 
foreign agency charged with the responsibility of investigating or 
prosecuting such violation, or charged with enforcing or implementing 
the statute, regulation, rule, or order. On its own initiative, VA may 
also disclose the names and addresses of Veterans and their dependents 
to a Federal agency charged with the responsibility of investigating or 
prosecuting civil, criminal, or regulatory violations of law, or 
charged with enforcing or implementing the statute, regulation, rule, 
or order issued pursuant thereto.
    2. Disclosure may be made to any source from which additional 
information is requested (to the extent necessary to identify the 
individual, inform the source of the purpose(s) of the request, and 
identify the type of information requested), when necessary to obtain 
or provide information relevant to an individual's eligibility, care 
history, or other benefits across different Federal, state, or local, 
public health, health care, or program benefit agencies that improves 
the quality and safety of health care for our Veterans.
    3. Disclosure may be made to a Federal agency in the executive, 
legislative, or judicial branch, state and local Government or the 
District of Columbia government in response to its request or at the 
initiation of VA, in connection with disease tracking, patient 
outcomes, or other health information required for program 
accountability.
    4. Disclosure may be made to the National Archives and Records 
Administration and the General Services Administration for records 
management inspections under authority of Title 44, Chapter 29, of the 
United States Code.
    5. VA may disclose information in this system of records to the 
Department of Justice (DOJ), either on VA's initiative or in response 
to DOJ's request for the information, after either VA or DOJ determines 
that such information is relevant to DOJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that disclosure of the records to the 
DOJ is a use of the information contained in the records that is 
compatible with the purpose for which VA collected the records. VA, on 
its own initiative, may disclose records in this system of records in 
legal proceedings before a court or administrative body after 
determining that the disclosure of the records to the court or 
administrative body is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records.
    6. Records from this system of records may be disclosed to a 
Federal agency or to a state or local government licensing board and/or 
to the Federation of State Medical Boards or a similar nongovernment 
entity that maintains records concerning individuals' employment 
histories or concerning the issuance, retention, or revocation of 
licenses, certifications, or registration necessary to practice an 
occupation, profession, or specialty, in order for the agency to obtain 
information relevant to an agency decision concerning the hiring, 
retention, or termination of an employee.
    7. Records from this system of records may be disclosed to inform a 
Federal agency, licensing boards, or appropriate non-governmental 
entities about the health care practices of a terminated, resigned, or 
retired health care employee whose professional health care activity so 
significantly failed to conform to generally accepted standards of 
professional medical practice as to raise reasonable concern for the 
health and safety of patients receiving medical care in the private 
sector or from another Federal agency.
    8. For program review purposes and the seeking of accreditation 
and/or certification, disclosure may be made to survey teams of the 
Joint Commission, College of American Pathologists, American 
Association of Blood Banks, and similar national accreditation agencies 
or boards with whom VA has a contract or agreement to conduct such 
reviews but only to the extent that the information is necessary and 
relevant to the review.
    9. Disclosure may be made to a national certifying body that has 
the authority to make decisions concerning the issuance, retention, or 
revocation of licenses, certifications, or registrations required to 
practice a health care profession, when requested in writing by an 
investigator or supervisory official of the national certifying body 
for the purpose of making a decision concerning the issuance, 
retention, or

[[Page 6097]]

revocation of the license, certification, or registration of a named 
health care professional.
    10. Records from this system that contain information listed in 5 
U.S.C. 7114(b)(4) may be disclosed to officials of labor organizations 
recognized under 5 U.S.C. Chapter 71 when relevant and necessary to 
their duties of exclusive representation concerning personnel policies, 
practices, and matters affecting working conditions.
    11. Disclosure may be made to the representative of an employee of 
all notices, determinations, decisions, or other written communications 
issued to the employee in connection with an examination ordered by VA 
under medical evaluation (formerly fitness-for duty) examination 
procedures or Department-filed disability retirement procedures.
    12. VA may disclose information to officials of the Merit Systems 
Protection Board, or the Office of Special Counsel, when requested in 
connection with appeals, special studies of the civil service and other 
merit systems, review of rules and regulations, investigation of 
alleged or possible prohibited personnel practices, and such other 
functions, promulgated in 5 U.S.C. 1205 and 1206, or as may be 
authorized by law.
    13. VA may disclose information to the Equal Employment Opportunity 
Commission when requested in connection with investigations of alleged 
or possible discriminatory practices, examination of Federal 
affirmative employment programs, or for other functions of the 
Commission as authorized by law or regulation.
    14. VA may disclose information to the Federal Labor Relations 
Authority (including its General Counsel) information related to the 
establishment of jurisdiction, the investigation and resolution of 
allegations of unfair labor practices, or information in connection 
with the resolution of exceptions to arbitration awards when a question 
of material fact is raised; to disclose information in matters properly 
before the Federal Services Impasses Panel, and to investigate 
representation petitions and conduct or supervise representation 
elections.
    15. Disclosure of medical record data, excluding name and address, 
unless name and address are furnished by the requester, may be made to 
non-Federal research facilities for research purposes determined to be 
necessary and proper when approved in accordance with VA policy.
    16. Disclosure of name(s) and address(s) of present or former 
personnel of the Armed Services, and/or their dependents, may be made 
to: (a) A Federal department or agency, at the written request of the 
head or designee of that agency; or (b) directly to a contractor or 
subcontractor of a Federal department or agency, for the purpose of 
conducting Federal research necessary to accomplish a statutory purpose 
of an agency. When disclosure of this information is made directly to a 
contractor, VA may impose applicable conditions on the department, 
agency, and/or contractor to insure the appropriateness of the 
disclosure to the contractor.
    17. Disclosure may be made to individuals, organizations, private 
or public agencies, or other entities or individuals with whom VA has a 
contract or agreement to perform such services as VA may deem 
practicable for the purposes of laws administered by VA, in order for 
the contractor, subcontractor, public or private agency, or other 
entity or individual with whom VA has an agreement or contract to 
perform the services of the contract or agreement. This routine use 
includes disclosures by the individual or entity performing the service 
for VA to any secondary entity or individual to perform an activity 
that is necessary for individuals, organizations, private or public 
agencies, or other entities or individuals with whom VA has a contract 
or agreement to provide the service to VA.
    18. Disclosure may be made to a congressional office from the 
record of an individual in response to an inquiry from the 
congressional office made at the request of that individual.
    19. VA may disclose information to a Federal agency for the conduct 
of research and data analysis to perform a statutory purpose of that 
Federal agency upon the prior written request of that agency, provided 
that there is legal authority under all applicable confidentiality 
statutes and regulations to provide the data and the VHA Office of 
Information has determined prior to the disclosure that VHA data 
handling requirements are satisfied.
    20. Disclosure of limited individual identification information may 
be made to another Federal agency for the purpose of matching and 
acquiring information held by that agency for VHA to use for the 
purposes stated for this system of records.
    21. VA may, on its own initiative disclose any information or 
records to appropriate agencies, entities, and persons when (1) VA 
suspects or has confirmed that the integrity or confidentiality of 
information in the system of records has been compromised; (2) VA has 
determined that as a result of the suspected or confirmed compromise 
there is a risk of embarrassment or harm to the reputations of the 
record subjects, harm to economic or property interests, identity theft 
or fraud, or harm to the security, confidentiality, or integrity of 
this system or other systems or programs (whether maintained by VA or 
another agency or entity) that rely upon the potentially compromised 
information; and (3) the disclosure is to agencies, entities, or 
persons whom VA determines are reasonably necessary to assist or carry 
out VA's efforts to respond to the suspected or confirmed compromise 
and prevent, minimize, or remedy such harm. This routine use permits 
disclosures by VA to respond to a suspected or confirmed data breach, 
including the conduct of any risk analysis or provision of credit 
protection services as provided in 38 U.S.C. 5724, as the terms are 
defined in 38 U.S.C. 5727.
    a. Effective Response. A federal agency's ability to respond 
quickly and effectively in the event of a breach of federal data is 
critical to its efforts to prevent or minimize any consequent harm. An 
effective response necessitates disclosure of information regarding the 
breach to those individuals affected by it, as well as to persons and 
entities in a position to cooperate, either by assisting in 
notification to affected individuals or playing a role in preventing or 
minimizing harms from the breach.
    b. Disclosure of Information. Often, the information to be 
disclosed to such persons and entities is maintained by federal 
agencies and is subject to the Privacy Act (5 U.S.C. 552a). The Privacy 
Act prohibits the disclosure of any record in a system of records by 
any means of communication to any person or agency absent the written 
consent of the subject individual, unless the disclosure falls within 
one of twelve statutory exceptions. In order to ensure an agency is in 
the best position to respond in a timely and effective manner, in 
accordance with 5 U.S.C. 552a(b)(3) of the Privacy Act, agencies should 
publish a routine use for appropriate systems specifically applying to 
the disclosure of information in connection with response and remedial 
efforts in the event of a data breach.
    22. On its own initiative, VA may disclose to the general public 
via an internet website, Primary Care Management Module information, 
including the names of its providers, provider panel sizes and reports 
on provider performance measures of quality when approved in accordance 
with VA policy.

[[Page 6098]]

    23. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    24. VA may disclose names and addresses of present or former 
members of the Armed Services and/or their dependents under certain 
circumstances: (a) To any nonprofit organization, if the release is 
directly connected with the conduct of programs and the utilization of 
benefits under Title 38, or (b) to any criminal or civil law 
enforcement governmental agency or instrumentality charged under 
applicable law with the protection of the public health or safety, if a 
qualified representative of such organization, agency, or 
instrumentality has made a written request for such names or addresses 
for a purpose authorized by law, provided that the records will not be 
used for any purpose other than that stated in the request and that the 
organization, agency, or instrumentality is aware of the penalty 
provision of 38 U.S.C. 5701(f).
    25. VA may disclose information, including demographic information, 
to HUD for the purpose of reducing homelessness among Veterans by 
implementing the Federal strategic plan to prevent and end homelessness 
and by evaluating and monitoring the HUD-Veterans Affairs Supported 
Housing program.
    26. VA may disclose health care information to the FDA, or a person 
subject to the jurisdiction of the FDA, with respect to FDA-regulated 
products, for purposes of reporting adverse events; product defects or 
problems, or biological product deviations; tracking products; enabling 
product recalls, repairs, or replacements; and/or conducting post 
marketing surveillance.
    27. Disclosure of Veteran identifiers and demographic information 
(e.g., name, SSN, address, date of birth) may be made to an 
organization with whom VA has a documented partnership, arrangement or 
agreement (e.g., HIE, HISP, Direct and CommonWell Health Alliance 
Network) for the purpose of identifying and correlating patients.
    28. VA may disclose relevant health care information to the CDC 
and/or their designee in response to its request or at the initiation 
of VA, in connection with disease-tracking, patient outcomes, bio-
surveillance, or other health information required for program 
accountability.
    29. VA may, on its own initiative, disclose information from this 
system to another Federal agency or Federal entity, when VA determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (1) responding to a suspected 
or confirmed breach or (2) preventing, minimizing, or remedying the 
risk of harm to individuals, the recipient agency or entity (including 
its information systems, programs, and operations), the Federal 
Government, or national security, resulting from a suspected or 
confirmed breach.
    30. VA may disclose relevant healthcare and demographic information 
to health and welfare agencies, housing resources, and community 
providers, consistent with good medical-ethical practices, for Veterans 
assessed by or engaged in VA homeless programs for purposes of 
coordinating care, expediting access to housing, providing medical and 
related services, participating in coordinated entry processes, 
reducing Veteran homelessness, identifying homeless individuals in need 
of immediate assistance and ensuring program accountability by 
assigning and tracking responsibility for urgently required care.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are maintained on electronic storage media including 
magnetic tape, disk, and laser optical media.

POLICIES AND PRACTICES FOR RETRIEVABILITY OF RECORDS:
    Records are retrieved by name, social security number or other 
assigned identifiers of the individuals on whom they are maintained.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    The records are disposed of in accordance with General Records 
Schedule 20, item 4. Item 4 provides for deletion of data files when 
the agency determines that the files are no longer needed for 
administrative, legal, audit, or other operational purposes.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    1. Access to and use of national patient databases are limited to 
those persons whose official duties require such access, and VA has 
established security procedures to ensure that access is appropriately 
limited. Information security officers and system data stewards review 
and authorize data access requests. VA regulates data access with 
security software that authenticates users and requires individually 
unique codes and passwords. VA provides information security training 
to all staff and instructs staff on the responsibility each person has 
for safeguarding data confidentiality.
    2. VA maintains Business Associate Agreements and Non-Disclosure 
Agreements with contracted resources in order to maintain 
confidentiality of the information.
    3. Physical access to computer rooms housing national patient 
databases is restricted to authorized staff and protected by a variety 
of security devices. Unauthorized employees, contractors, and other 
staff are not allowed in computer rooms. The Federal Protective Service 
or other security personnel provide physical security for the buildings 
housing computer rooms and data centers.
    4. Data transmissions between operational systems and national 
patient databases maintained by this system of record are protected by 
state-of-the-art telecommunication software and hardware. This may 
include firewalls, encryption, and other security measures necessary to 
safeguard data as it travels across the VA Wide Area Network. Data may 
be transmitted via a password protected spreadsheet and placed on the 
secured share point Web portal by the user that has been provided 
access to their secure file. Data can only be accessed by authorized 
personnel from each facility within the Polytrauma System of Care and 
the Physical Medicine and Rehabilitation Program Office.
    5. In most cases, copies of back-up computer files are maintained 
at off-site locations.

RECORD ACCESS PROCEDURE:
    Individuals seeking information regarding access to and contesting 
of records in this system may write or call the Director of National 
Data Systems (10P2C), Austin Information Technology Center, 1615 
Woodward Street, Austin, Texas 78772, or call the VA National Service 
Desk and ask to speak with the VHA Director of National Data Systems at 
(512) 326-6780.

CONTESTING RECORD PROCEDURES:
    (See Record Access procedures above).

NOTIFICATION PROCEDURE:
    Individuals who wish to determine whether this system of records 
contains information about them should contact the Director of National 
Data Systems (10P2C), Austin Information Technology Center, 1615 
Woodward Street, Austin, Texas 78772. Inquiries should include the 
person's full name, social security number, location and dates of 
employment or location and dates of treatment, and their return 
address.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

[[Page 6099]]

HISTORY:
    Last full publication provided in 79 FR 8245 dated February 11, 
2014.

VA APPENDIX 4

------------------------------------------------------------------------
             Database name                           Location
------------------------------------------------------------------------
Addiction Severity Index (ASI).........  Veterans Affairs Medical
                                          Center, 7180 Highland Drive,
                                          Pittsburg, PA 15206.
Bidirectional Health Information         SunGard, 1500 Spring Garden
 Exchange (BHIE).                         Street, Philadelphia, PA
                                          19130.
Breast Care Registry...................  Austin Information Technology
                                          Center, 1615 Woodward Street,
                                          Austin, TX 78772.
VA Clinical Assessment Reporting and     Denver VA Medical Center, 1055
 Tracking (CART) Program.                 Clermont Street, Denver, CO
                                          80220.
Consolidated Mail Outpatient Pharmacy    Southwest CMOP, 3675 East
 (CMOP) Centralized Database System.      Britannia Drive, Tucson, AZ
                                          85706.
Converged Registries Solution (CRS)....  Austin Information Technology
                                          Center, 1615 Woodward Street,
                                          Austin, TX 78772.
Cruetzfelet-Jakob Disease Lookback       Cincinnati VA Medical Center,
 Dataset (CJDLD).                         3200 Vine Street, Cincinnati,
                                          OH 45220.
Defense and Veterans Eye Injury          Austin Information Technology
 Registry (DVEIR).                        Center, 1615 Woodward Street,
                                          Austin, TX 78772.
Dental Encounter System (DES)..........  Austin Information Technology
                                          Center, 1615 Woodward Street,
                                          Austin, TX 78772.
Eastern Pacemaker Surveillance Center    Veterans Affairs Medical
 Database.                                Center, 50 Irving Street NW,
                                          Washington, DC 20422.
Emerging Pathogens Initiative (EPI)....  Austin Information Technology
                                          Center, 1615 Woodward Street,
                                          Austin, TX 78772.
Federal Health Information Exchange      SunGard, 1500 Spring Garden
 (FHIE).                                  Street, Philadelphia, PA
                                          19130.
Financial Clinical Data Mart (FCDM)....  Austin Information Technology
                                          Center, 1615 Woodward Street,
                                          Austin, TX 78772.
Former Prisoner of War Statistical       Austin Information Technology
 Tracking System.                         Center, 1615 Woodward Street,
                                          Austin, TX 78772.
Functional Status and Outcome Database   Austin Information Technology
 (FSOD).                                  Center, 1615 Woodward Street,
                                          Austin, TX 78772.
Home Based Primary Care (HBC)..........  Austin Information Technology
                                          Center, 1615 Woodward Street,
                                          Austin, TX 78772.
Homeless Operational Management &        Austin Information Technology
 Evaluation System (HOMES).               Center, 1615 Woodward Street,
                                          Austin, Texas 78772.
Homeless Veterans Registry.............  Austin Information Technology
                                          Center, 1615 Woodward Street,
                                          Austin, TX 78772.
Implant Tracking Registry..............  Austin Information Technology
                                          Center, 1615 Woodward Street,
                                          Austin, TX 78772.
IPEC Legionella Case Report Module.....  Austin Information Technology
                                          Center, 1615 Woodward Street,
                                          Austin, TX 78772.
Mammography Quality Standards (MQS) VA.  Veterans Affairs Medical
                                          Center, 508 Fulton Street,
                                          Durham, NC 27705.
Master Veteran Index...................  Austin Information Technology
                                          Center, 1615 Woodward Street,
                                          Austin, TX 78772.
Medical SAS File (MDP) (Medical          Austin Information Technology
 District Planning (MEDIPRO)).            Center, 1615 Woodward Street,
                                          Austin, TX 78772.
Multiple Sclerosis Surveillance Request  Austin Information Technology
 (MSSR) Registry.                         Center, 1615 Woodward Street,
                                          Austin, TX 78772.
National Center for Patient Safety       Veterans Affairs Medical
 Public Health System (NCPSPHS).          Center, 3801 Miranda Avenue,
                                          Palo Alto, CA 94304.
National Mental Health Database System   Veterans Affairs Medical
 (NMHDS).                                 Center, 7180 Highland Drive,
                                          Pittsburgh, PA 15206.
National Medical Information System      Austin Information Technology
 (NMIS).                                  Center, 1615 Woodward Street,
                                          Austin, TX 78772.
National Survey of Veterans (NSV)......  Austin Information Technology
                                          Center, 1615 Woodward Street,
                                          Austin, TX 78772.
Patient Assessment File (PAF)..........  Austin Information Technology
                                          Center, 1615 Woodward Street,
                                          Austin, TX 78772.
Pharmacy Benefits Management (PBM).....  Veterans Affairs Medical
                                          Center, 5th Avenue and
                                          Roosevelt Road, Hines, IL
                                          60141.
Remote Order Entry System (ROES).......  Denver Distribution Center, 155
                                          Van Gordon Street, Lakewood,
                                          CO 80228-1709.
Resident Assessment Instrument/Minimum   Austin Information Technology
 Data Set (RAI/MDS).                      Center, 1615 Woodward Street,
                                          Austin, TX 78772.
Traumatic Brain Injury (TBI) Registry..  Austin Information Technology
                                          Center, 1615 Woodward Street,
                                          Austin, TX 78772.
VA National Clozapine Registry (NCCC)..  Veterans Affairs Medical
                                          Center, 4500 South Lancaster
                                          Road, Dallas, TX 75216.
Veterans Affairs Surgical Quality        VA National Surgery Office
 Improvement Program (VASQIP).            (10NC2), 810 Vermont Avenue
                                          NW, Washington, DC 20420.
VA Vital Status File (VSF).............  Austin Information Technology
                                          Center, 1615 Woodward Street,
                                          Austin, TX 78772.
Veterans Administration Central Cancer   Veterans Affairs Medical
 Registry (VACCR).                        Center, 50 Irving Street NW,
                                          Washington, DC 20422.

[[Page 6100]]

 
Veterans Health Administration Support   Austin Information Technology
 Service Center (VSSC).                   Center, 1615 Woodward Street,
                                          Austin, TX 78772.
Veterans Integrated Registry Platform..  Austin Information Technology
                                          Center, 1615 Woodward Street,
                                          Austin, TX 78772.
War Related Illness and Injury Study     VA Palo Alto Health Care
 Center (WRIISC) Database.                System, 3801 Miranda Avenue,
                                          Mail Code 151Y, Palo Alto, CA
                                          94304.
------------------------------------------------------------------------


[FR Doc. 2018-02760 Filed 2-9-18; 8:45 am]
 BILLING CODE 8320-01-P