Privacy Act of 1974; System of Records, 64935-64940 [2018-27334]

Agencies

• DEPARTMENT OF VETERANS AFFAIRS

[Federal Register Volume 83, Number 242 (Tuesday, December 18, 2018)]
[Notices]
[Pages 64935-64940]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-27334]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: The Privacy Act of 1974 requires that all agencies publish in 
the Federal Register a notice of the existence and character of their 
systems of records. Notice is hereby given that the Department of 
Veterans Affairs (VA) is establishing a new system of records entitled, 
``HealthShare Referral Manager (HSRM)-VA'' (180VA10D).

DATES: Comments on this new system of records must be received no later 
than January 17, 2019. If no public comment is received during the 
period allowed for comment or unless otherwise published in the Federal 
Register by VA, the new system will become effective January 17, 2019. 
If VA receives public comments, VA shall review the comments to 
determine whether any changes to the notice are necessary.

ADDRESSES: Written comments concerning the new system of records may be 
submitted by: Mail or hand-delivery to Director, Regulations Management 
(00REG), Department of Veterans Affairs, 810 Vermont Avenue NW, Room 
1068, Washington, DC 20420; fax to (202) 273-9026; or Email to https://www.Regulations.gov. Comments should indicate that they are submitted 
in response to ``HealthShare Referral Manager (HSRM)-VA'' (180VA10D). 
All comments received will be available for public inspection in the 
Office of Regulation Policy and Management, Room 1063B, between the 
hours of 8:00 a.m. and 4:30 p.m., Monday through Friday (except 
holidays). Please call (202) 461-4902 (this is not a toll-free number) 
for an appointment.

FOR FURTHER INFORMATION CONTACT: Kevin Kania, Program Manager, 
Community Care Referrals and

[[Page 64936]]

Authorization (CCRA) System, Office of Community Care, Hines Office of 
Information and Technology Field Office, Edward Hines, Jr. VA Hospital, 
P.O. Box 7008, Building 37, Room 128, Hines, IL 60141; telephone at 
(815) 254-0334. (This is not a toll-free number.)

SUPPLEMENTARY INFORMATION:

I. Description of Proposed Systems of Records

    CCRA is an enterprise-wide solution in support of the Veterans 
Access, Choice, and Accountability Act of 2014 (Pub. L. 113-146) 
(``Choice Act''), as amended by the VA Expiring Authorities Act of 2014 
(Pub. L. 113-175), to generate referrals and authorizations for 
Veterans receiving care in the community. VA clinical providers and 
Non-VA clinical providers will access a cloud based software system to 
request and refer clinical care for Veterans with Non-VA Community Care 
providers. This solution will enhance Veteran access to care by 
utilizing a common and modern system to orchestrate the complex 
business of VA referral management. The CCRA solution is an integral 
component of the VA Community Care (CC) Information Technology (IT) 
architecture, and will track and share health care information and 
correspondence necessary for Veterans to be seen for appropriate and 
approved episodes of CC. The CCRA solution will allow the VA to move to 
a process that generates standardized referrals and authorizations, 
according to clinical and business rules.
    The CCRA project completed a contract to provide HealthShare 
Referral Manager by Intersystems as the CCRA solution. HealthShare 
Referral Manager is a commercial off-the-shelf software product that 
will be hosted in an Amazon Web Services (AWS) FedRAMP High Gov cloud 
and is planned for enterprise integration with VA systems, both inside 
and outside of CC.

II. Proposed Routine Use Disclosures of Data in the System

    We are proposing to establish the following Routine Use disclosures 
of information maintained in the system. To the extent that records 
contained in the system include information protected by 38 U.S.C. 
7332, i.e., medical treatment information related to drug abuse, 
alcoholism or alcohol abuse, sickle cell anemia or infection with the 
human immunodeficiency virus; information protected by 38 U.S.C. 5705, 
i.e., quality assurance records; or information protected by 45 CFR 
parts 160 and 164, i.e., individually identifiable health information, 
such information cannot be disclosed under a routine use unless there 
is also specific statutory authority permitting the disclosure. VA may 
disclose protected health information pursuant to the following routine 
uses where required or permitted by law.
    1. VA may disclose information from the record of an individual in 
response to an inquiry from the congressional office made at the 
request of that individual. VA must be able to provide information 
about individuals to adequately respond to inquiries from Members of 
Congress at the request of constituents who have sought their 
assistance.
    2. VA may disclose information from this system to appropriate 
agencies, entities, and persons when (1) VA suspects or has confirmed 
that there has been a breach of the system of records; (2) VA has 
determined that as a result of the suspected or confirmed breach there 
is a risk of harm to individuals, VA (including its information 
systems, programs, and operations), the Federal Government, or national 
security; and (3) the disclosure made to such agencies, entities, and 
persons is reasonably necessary to assist in connection with VA's 
efforts to respond to the suspected or confirmed breach or to prevent, 
minimize, or remedy such harm.
    3. VA may disclose information in this system, except the names and 
home addresses of Veterans and their dependents, which is relevant to a 
suspected or reasonably imminent violation of law, whether civil, 
criminal or regulatory in nature and whether arising by general or 
program statute or by regulation, rule or order issued pursuant 
thereto, to a Federal, state, local, tribal, or foreign agency charged 
with the responsibility of investigating or prosecuting such violation, 
or charged with enforcing or implementing the statute, regulation, rule 
or order. On its own initiative, VA may also disclose the names and 
addresses of Veterans and their dependents to a Federal agency charged 
with the responsibility of investigating or prosecuting civil, criminal 
or regulatory violations of law, or charged with enforcing or 
implementing the statute, regulation, rule or order issued pursuant 
thereto. VA must be able to provide on its own initiative information 
that pertains to a violation of laws to law enforcement authorities in 
order for them to investigate and enforce those laws. Under 38 U.S.C. 
5701(a) and (f), VA may only disclose the names and addresses of 
Veterans and their dependents to Federal entities with law enforcement 
responsibilities. This is distinct from the authority to disclose 
records in response to a qualifying request from a law enforcement 
entity, as authorized by Privacy Act subsection 5 U.S.C. 552a(b)(7).
    4. VA may disclose information from this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that release of the records to the DoJ 
is a use of the information contained in the records that is compatible 
with the purpose for which VA collected the records. VA, on its own 
initiative, may disclose records in this system of records in legal 
proceedings before a court or administrative body after determining 
that the disclosure of the records to the court or administrative body 
is a use of the information contained in the records that is compatible 
with the purpose for which VA collected the records. VA must be able to 
provide information to DoJ in litigation where the United States or any 
of its components is involved or has an interest. A determination would 
be made in each instance that under the circumstances involved, the 
purpose is compatible with the purpose for which VA collected the 
information. This routine use is distinct from the authority to 
disclose records in response to a court order under subsection (b)(11) 
of the Privacy Act, 5 U.S.C. 552(b)(11), or any other provision of 
subsection (b), in accordance with the court's analysis in Doe v. 
DiGenova, 779 F.2d 74, 78-84 (D.C. Cir. 1985) and Doe v. Stephens, 851 
F.2d 1457, 1465-67 (D.C. Cir. 1988).
    5. VA may disclose information from this system of records to 
individuals, organizations, private or public agencies, or other 
entities or individuals with whom VA has a contract or agreement to 
perform such services as VA may deem practicable for the purposes of 
laws administered by VA, in order for the contractor, subcontractor, 
public or private agency, or other entity or individual with whom VA 
has a contract or agreement to perform services under the contract or 
agreement. This routine use includes disclosures by an individual or 
entity performing services for VA to any secondary entity or individual 
to perform an activity that is necessary for individuals, 
organizations, private or public agencies, or other entities or 
individuals with whom VA has a contract or agreement to provide the

[[Page 64937]]

service to VA. This routine use, which also applies to agreements that 
do not qualify as contracts defined by Federal procurement laws and 
regulations, is consistent with the Office of Management and Budget 
(OMB) guidance in OMB Circular A-108, paragraph 6(j) that agencies 
promulgate routine uses to address disclosure of Privacy Act-protected 
information to contractors in order to perform the services contracts 
for the agency.
    6. VA may disclose information from this system to the Equal 
Employment Opportunity Commission (EEOC) when requested in connection 
with investigations of alleged or possible discriminatory practices, 
examination of Federal affirmative employment programs, or other 
functions of the Commission as authorized by law or regulation. VA must 
be able to provide information to EEOC to assist it in fulfilling its 
duties to protect employees' rights, as required by statute and 
regulation.
    7. VA may disclose information from this system to the Federal 
Labor Relations Authority (FLRA), including its General Counsel, 
information related to the establishment of jurisdiction, 
investigation, and resolution of allegations of unfair labor practices, 
or in connection with the resolution of exceptions to arbitration 
awards when a question of material fact is raised; for it to address 
matters properly before the Federal Services Impasses Panel, 
investigate representation petitions, and conduct or supervise 
representation elections. VA must be able to provide information to 
FLRA to comply with the statutory mandate under which it operates.
    8. VA may disclose information from this system to the Merit 
Systems Protection Board (MSPB), or the Office of the Special Counsel, 
when requested in connection with appeals, special studies of the civil 
service and other merit systems, review of rules and regulations, 
investigation of alleged or possible prohibited personnel practices, 
and such other functions promulgated in 5 U.S.C. 1205 and 1206, or as 
authorized by law. VA must be able to provide information to MSPB to 
assist it in fulfilling its duties as required by statute and 
regulation.
    9. VA may disclose information from this system to the National 
Archives and Records Administration (NARA) and General Services 
Administration (GSA) in records management inspections conducted under 
Title 44, U.S.C. NARA is responsible for archiving old records which 
are no longer actively used but may be appropriate for preservation, 
and for the physical maintenance of the Federal government's records. 
VA must be able to provide the records to NARA in order to determine 
the proper disposition of such records.
    10. Data breach response and remedial efforts with another Federal 
agency: VA may disclose information from this system to another Federal 
agency or Federal entity, when VA determines that information from this 
system of records is reasonably necessary to assist the recipient 
agency or entity in (1) responding to a suspected or confirmed breach 
or (2) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    11. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    12. VA may disclose relevant health care information to (a) a 
Federal agency or non-VA health care provider or institution when VA 
refers a patient for hospital or nursing home care or medical services, 
or authorizes a patient to obtain non-VA medical services, and the 
information is needed by the Federal agency or non-VA institution or 
provider to perform the services, or (b) a Federal agency or a non-VA 
hospital (Federal, State and local, public, or private) or other 
medical installation having hospital facilities, blood banks, or 
similar institutions, medical schools or clinics, or other groups or 
individuals that have contracted or agreed to provide medical services 
or share the use of medical resources under the provisions of 38 U.S.C. 
513, 7409, 8111, or 8153, when treatment is rendered by VA under the 
terms of such contract or agreement, or the issuance of an 
authorization, and the information is needed for purposes of medical 
treatment and/or follow-up, determining entitlement to a benefit, or 
recovery of the costs of the medical care.

III. Compatibility of the Proposed Routine Uses

    The Privacy Act permits VA to disclose information about 
individuals without their consent for a routine use when the 
information will be used for a purpose that is compatible with the 
purpose for which VA collected the information. In all of the routine 
use disclosures described above, either the recipient of the 
information will use the information in connection with a matter 
relating to one of VA's programs, to provide a benefit to the VA, or to 
disclose information as required by law.
    Under section 264, Subtitle F of Title II of the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA) Public Law 104-191, 
100 Stat. 1936, 2033-34 (1996), the United States Department of Health 
and Human Services (HHS) published a final rule, as amended, 
establishing Standards for Privacy of Individually-Identifiable health 
Information, 45 CFR parts 160 and 164. Veterans Health Administration 
(VHA) may not disclose individually identifiable health information (as 
defined in HIPAA and the Privacy Rule, 42 U.S.C. 1320(d)(6) and 45 CFR 
164.501) pursuant to a routine use unless either: (a) The disclosure is 
required by law, or (b) the disclosure is also permitted or required by 
HHS' Privacy Rule. The disclosures of individually-identifiable health 
information contemplated in the routine uses published in this new 
system of records notice are permitted under the Privacy Rule or 
required by law. However, to also have authority to make such 
disclosures under the Privacy Act, VA must publish these routine uses. 
Consequently, VA is publishing these routine uses to the routine uses 
portion of the system of records notice stating that any disclosure 
pursuant to the routine uses in this system of records notice must be 
either required by law or permitted by the Privacy Rule, before VHA may 
disclose the covered information.
    The notice of intent to publish and an advance copy of the system 
notice have been sent to the appropriate Congressional committees and 
to the Director, Office of Management and Budget, as required by 5 
U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 
77677), December 12, 2000.

Signing Authority

    The Senior Agency Official for Privacy, or designee, approved this 
document and authorized the undersigned to sign and submit the document 
to the Office of the Federal Register for publication electronically as 
an official document of the Department of Veterans Affairs. James B. 
Ford, Acting Executive Director for Privacy, Quality, Privacy, and 
Risk, Department of Veterans Affairs approved this document on July 16, 
2018 for publication.


[[Page 64938]]


    Dated: December 13, 2018.
Kathleen M. Manwell,
Program Analyst, VA Privacy Service, Office of Information and 
Technology, Department of Veterans Affairs.

SYSTEM NAME AND NUMBER:
    HealthShare Referral Manager (HSRM)-VA (180VA10D)

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Amazon Web Services, LLC, 13461 Sunrise Valley Drive, Herndon, VA 
20171-3283. Community Care Referrals and Authorization (CCRA) System 
Program Manager, Office of Community Care, Hines Office of Information 
and Technology Field Office, Edward Hines, Jr. VA Hospital, P.O. Box 
7008, Building 37, Room 128, Hines, IL 60141.

SYSTEM MANAGER(S):
    Officials responsible for policies and procedures: Program Manager, 
VHA Office of Community Care (10D), Health Eligibility Center, 2957 
Clairmont Road, Suite 200 Atlanta, GA 30329-1647. Telephone number 
(815) -254-0334. (This is not a toll-free number.)

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 38, United States Code, section 7301(a) and Veterans Access, 
Choice, and Accountability Act of 2014 (Pub. L. 113-146).

PURPOSE(S) OF THE SYSTEM:
    CCRA is an enterprise-wide system used by community care staff to 
automatically generate referrals and authorizations for all Veterans 
receiving care in the community. The system is an integral component of 
the VA community care information technology (IT) architecture, and 
will allow Veterans to receive care from community providers within the 
Community Care Network through the Veterans Choice Program. The CCRA 
system will allow these providers to view relevant patient and clinical 
information from Veterans Information Systems and Technology 
Architecture (VistA). The exchange of health care information and 
authorizations will enhance VA's ability to ensure that Veterans 
receive the best health care available to address their medical needs. 
The CCRA system will also enable the VA to move from what is currently 
a largely manual process to an automated process that generates 
standardized referrals and authorizations according to clinical and 
business rules. The automated process will decrease the administrative 
burden on VA clinical and community care staff members by way of 
establishing clinical and business pathways that which reflect best 
processes, consistent outcomes, and reduced turnaround times.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The records include information concerning:
    1. Veterans who have applied for health care services under Title 
38, United States Code, Chapter 17, and in certain cases members of 
their immediate families.
    2. Individuals examined or treated under contract or resource 
sharing agreements.
    3. Individuals who were provided medical care under emergency 
conditions for humanitarian reasons.
    4. Health care professionals providing examination or treatment to 
any individuals within VA health care facilities.
    5. Healthcare professionals providing examination or treatment to 
individuals under contract or resource sharing agreements or CC 
programs, such as Choice.
    6. Patients and members of their immediate family, volunteers, 
maintenance personnel, as well as individuals working collaboratively 
with VA.
    7. Contractors, sub-contractors, contract personnel, students, 
providers and consultants.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records may include information and health information related 
to:
    1. Identifying information (e.g., name, birth date, death date, 
admission date, discharge date, gender, social security number, 
taxpayer identification number); address information (e.g., home and/or 
mailing address, home telephone number, emergency contact information 
such as name, address, telephone number, and relationship); prosthetic 
and sensory aid serial numbers; medical record numbers; integration 
control numbers; information related to medical examination or 
treatment (e.g., location of VA medical facility providing examination 
or treatment, treatment dates, medical conditions treated or noted on 
examination); information related to military service and status.
    2. Computer access authorizations, computer applications available 
and used, information access attempts, frequency and time of use; 
identification of the person responsible for, currently assigned, or 
otherwise engaged in various categories of patient care or support of 
health care delivery.
    3. Application, eligibility, and claim information regarding 
payment determination for medical services provided to VA beneficiaries 
by non-VA health care institutions and providers.
    4. Health care provider's name, address, and taxpayer 
identification number, correspondence concerning individuals and 
documents pertaining to claims for medical services, reasons for denial 
of payment, and appellate determinations.

RECORD SOURCE CATEGORIES:
    The Veteran or other VA beneficiary, family members or accredited 
representatives, and other third parties; private medical facilities 
and healthcare professionals; health insurance carriers; other Federal 
agencies; employees; contractors; VHA facilities and automated systems 
providing clinical and managerial support at VA health care facilities.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    1. VA may disclose information from the record of an individual in 
response to an inquiry from the congressional office made at the 
request of that individual.
    2. VA may disclose information from this system to appropriate 
agencies, entities, and persons when (1) VA suspects or has confirmed 
that there has been a breach of the system of records; (2) VA has 
determined that as a result of the suspected or confirmed breach there 
is a risk of harm to individuals, VA (including its information 
systems, programs, and operations), the Federal Government, or national 
security; and (3) the disclosure made to such agencies, entities, and 
persons is reasonably necessary to assist in connection with VA's 
efforts to respond to the suspected or confirmed breach or to prevent, 
minimize, or remedy such harm.
    This routine use permits disclosures by the Department to respond 
to a suspected or confirmed data breach, including the conduct of any 
risk analysis or provision of credit protection services as provided in 
38 U.S.C. 5724
    a. Effective Response. A Federal agency's ability to respond 
quickly and effectively in the event of a breach of Federal data is 
critical to its efforts to prevent or minimize any consequent harm. An 
effective response necessitates disclosure of information regarding the 
breach to those individuals affected by it, as well as to persons and 
entities in a position to cooperate, either by assisting in 
notification to affected individuals or playing a role in preventing or 
minimizing harms from the breach.

[[Page 64939]]

    b. Disclosure of Information. Often, the information to be 
disclosed to such persons and entities is maintained by Federal 
agencies and is subject to the Privacy Act (5 U.S.C. 552a). The Privacy 
Act prohibits the disclosure of any record in a system of records by 
any means of communication to any person or agency absent the written 
consent of the subject individual, unless the disclosure falls within 
one of twelve statutory exceptions. In order to ensure an agency is in 
the best position to respond in a timely and effective manner, in 
accordance with 5 U.S.C. 552a(b)(3) of the Privacy Act, agencies should 
publish a routine use for appropriate systems specifically applying to 
the disclosure of information in connection with response and remedial 
efforts in the event of a data breach.
    3. VA may, on its own initiative, disclose information in this 
system, except the names and home addresses of Veterans and their 
dependents, which is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal or regulatory in nature and 
whether arising by general or program statute or by regulation, rule or 
order issued pursuant thereto, to a Federal, state, local, tribal, or 
foreign agency charged with the responsibility of investigating or 
prosecuting such violation, or charged with enforcing or implementing 
the statute, regulation, rule or order. On its own initiative, VA may 
also disclose the names and addresses of Veterans and their dependents 
to a Federal agency charged with the responsibility of investigating or 
prosecuting civil, criminal or regulatory violations of law, or charged 
with enforcing or implementing the statute, regulation, rule or order 
issued pursuant thereto.
    4. VA may disclose information from this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that release of the records to the DoJ 
is a use of the information contained in the records that is compatible 
with the purpose for which VA collected the records. VA, on its own 
initiative, may disclose records in this system of records in legal 
proceedings before a court or administrative body after determining 
that the disclosure of the records to the court or administrative body 
is a use of the information contained in the records that is compatible 
with the purpose for which VA collected the records.
    5. VA may disclose information from this system of records to 
individuals, organizations, private or public agencies, or other 
entities or individuals with whom VA has a contract or agreement to 
perform such services as VA may deem practicable for the purposes of 
laws administered by VA, in order for the contractor, subcontractor, 
public or private agency, or other entity or individual with whom VA 
has a contract or agreement to perform services under the contract or 
agreement.
    6. VA may disclose information from this system to the Equal 
Employment Opportunity Commission (EEOC) when requested in connection 
with investigations of alleged or possible discriminatory practices, 
examination of Federal affirmative employment programs, or other 
functions of the Commission as authorized by law or regulation.
    7. VA may disclose information from this system to the Federal 
Labor Relations Authority (FLRA), including its General Counsel, 
information related to the establishment of jurisdiction, 
investigation, and resolution of allegations of unfair labor practices, 
or in connection with the resolution of exceptions to arbitration 
awards when a question of material fact is raised; for it to address 
matters properly before the Federal Service Impasses Panel, investigate 
representation petitions, and conduct or supervise representation 
elections.
    8. VA may disclose information from this system to the Merit 
Systems Protection Board (MSPB), or the Office of the Special Counsel, 
when requested in connection with appeals, special studies of the civil 
service and other merit systems, review of rules and regulations, 
investigation of alleged or possible prohibited personnel practices, 
and such other functions promulgated in 5 U.S.C. 1205 and 1206, or as 
authorized by law.
    9. VA may disclose information from this system to the National 
Archives and Records Administration (NARA) and General Services 
Administration (GSA) in records management inspections conducted under 
title 44, U.S.C. NARA is responsible for archiving old records which 
are no longer actively used but may be appropriate for preservation, 
and for the physical maintenance of the Federal government's records.
    10. VA may disclose information from this system to another Federal 
agency or Federal entity, when VA determines that information from this 
system of records is reasonably necessary to assist the recipient 
agency or entity in (1) responding to a suspected or confirmed breach 
or (2) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    11. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    12. VA may disclose relevant health care information to (a) a 
Federal agency or non-VA health care provider or institution when VA 
refers a patient for hospital or nursing home care or medical services, 
or authorizes a patient to obtain non-VA medical services, and the 
information is needed by the Federal agency or non-VA institution or 
provider to perform the services, or (b) a Federal agency or a non-VA 
hospital (Federal, State and local, public, or private) or other 
medical installation having hospital facilities, blood banks, or 
similar institutions, medical schools or clinics, or other groups or 
individuals that have contracted or agreed to provide medical services 
or share the use of medical resources under the provisions of 38 U.S.C. 
513, 7409, 8111, or 8153, when treatment is rendered by VA under the 
terms of such contract or agreement, or the issuance of an 
authorization, and the information is needed for purposes of medical 
treatment and/or follow-up, determining entitlement to a benefit, or 
recovery of the costs of the medical care.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    CCRA relies on information in VistA, and only collects information 
related to referrals. Referral information is maintained as part of the 
individual's electronic health care record in accordance with the rules 
applied to those records. The CCRA system is hosted in Amazon Web 
Services (AWS) Government Cloud (GovCloud) infrastructure as a service 
cloud-computing environment that has been authorized at the high-impact 
level under the Federal Risk and Authorization Management Program 
(FedRAMP). The secure site-to-site encrypted network connection is 
limited to access via the VA trusted internet connection (TIC).

[[Page 64940]]

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are retrieved by name, social security number or other 
assigned identifiers of the individuals on whom they are maintained.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    These patient appointment and appointment schedules records shall 
be maintained per Record Control Schedule (RCS) 10-1 item; 2201.1. 
According to General Records Scehdule (GRS) 5.1 item 010, DAA-GRS-2017-
0003-0001, temporary destroy transitory records, messages coordinating 
schedules, appointments, and events when no longer needed for business 
use, or according to agency predetermined time or business rule.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    1. CCRA has physical controls and securely stores digital and non-
digital media defined within the latest revision of NIST SP 800-88, 
Guidelines for Media Sanitization, and VA 6500, within controlled 
areas; and protects information system media until the media is 
destroyed or sanitized using approved equipment, techniques, and 
procedures.
    2. The CCRA system is hosted in Amazon Web Services (AWS) 
Government Cloud (GovCloud) infrastructure as a service cloud-computing 
environment that has been authorized at the high-impact level under the 
Federal Risk and Authorization Management Program (FedRAMP). The secure 
site-to-site encrypted network connection is limited to access via the 
VA trusted internet connection (TIC).

RECORD ACCESS PROCEDURES:
    Individuals seeking information regarding access to and contesting 
of records in this system may write, call or visit the VA facility 
location where medical care was provided or VHA Office of Community 
Care.

CONTESTING RECORD PROCEDURES:
    (See Record Access Procedures above.)

NOTIFICATION PROCEDURES:
    An individual who wishes to determine whether a record is being 
maintained in this system under his or her name or other personal 
identifier, or wants to review the contents of such record, should 
submit a written request or apply in person to the last VA health care 
facility where care was rendered. All inquiries must reasonably 
describe the portion of the medical record involved and the place and 
approximate date that medical care was provided. Inquiries should 
include the patient's full name, social security number, and return 
address.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    None.
[FR Doc. 2018-27334 Filed 12-17-18; 8:45 am]
 BILLING CODE P