Privacy Act of 1974; System of Records, 64935-64940 [2018-27334]

Download as PDF Federal Register / Vol. 83, No. 242 / Tuesday, December 18, 2018 / Notices proposed collection of information, including the validity of the methodology and assumptions used; • Enhance the quality, utility, and clarity of the information to be collected; and • Minimize the burden of the collection of information on those who are to respond, including using appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., by permitting electronic submissions of responses. Comments submitted in response to this notice will be summarized and/or included in the ICR for OMB approval of the extension of the information collection; they will also become a matter of public record. Approved: December 11, 2018 R. Joseph Durbala, IRS Tax Analyst. [FR Doc. 2018–27287 Filed 12–17–18; 8:45 am] BILLING CODE 4830–01–P DEPARTMENT OF THE TREASURY Internal Revenue Service Proposed Extension of Information Collection Request Submitted for Public Comment; Comment Request for Form 8586 Internal Revenue Service (IRS), Treasury. ACTION: Notice and request for comments. AGENCY: The Internal Revenue Service, as part of its continuing effort to reduce paperwork and respondent burden, invites the public and other Federal agencies to take this opportunity to comment on proposed and/or continuing information collections, as required by the Paperwork Reduction Act of 1995. Currently, the IRS is soliciting comments concerning Form 8586, Low-Income Housing Credit. DATES: Written comments should be received on or before February 19, 2019 to be assured of consideration. ADDRESSES: Direct all written comments to Laurie Brimmer, Internal Revenue Service, Room 6129, 1111 Constitution Avenue NW, Washington, DC 20224. Requests for additional information or copies of the regulations should be directed to R. Joseph Durbala, at Internal Revenue Service, Room 6129, 1111 Constitution Avenue NW, Washington DC 20224, or through the internet, at RJoseph.Durbala@irs.gov. SUPPLEMENTARY INFORMATION: amozie on DSK3GDR082PROD with NOTICES SUMMARY: VerDate Sep<11>2014 00:45 Dec 18, 2018 Jkt 247001 Title: Low-Income Housing Credit. OMB Number: 1545–0984. Form Number: 8586. Abstract: Internal Revenue Code section 42 permits owners of residential rental projects providing low-income housing to claim a tax credit for part of the cost of constructing or rehabilitating such low-income housing. Form 8586 is used by taxpayers to compute the credit and by the IRS to verify that the correct credit has been claimed. Current Actions: There is no change to the burden previously approved. Type of Review: Extension of a currently approved collection. Affected Public: Individuals or households, and businesses, or other for-profit organizations. Estimated Number of Respondents: 7,786. Estimated Time per Respondent: 8 hrs., 48 min. Estimated Total Annual Burden Hours: 68,517. The following paragraph applies to all the collections of information covered by this notice: An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless the collection of information displays a valid OMB control number. Books or records relating to a collection of information must be retained if their contents may become material in the administration of any internal revenue law. Generally, tax returns and tax return information are confidential, as required by 26 U.S.C. 6103. Desired Focus of Comments: The Internal Revenue Service (IRS) is particularly interested in comments that: • Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility; • Evaluate the accuracy of the agency’s estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used; • Enhance the quality, utility, and clarity of the information to be collected; and • Minimize the burden of the collection of information on those who are to respond, including using appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., by permitting electronic submissions of responses. Comments submitted in response to this notice will be summarized and/or PO 00000 Frm 00127 Fmt 4703 Sfmt 4703 64935 included in the ICR for OMB approval of the extension of the information collection; they will also become a matter of public record. Approved: December 11, 2018. R. Joseph Durbala, IRS Tax Analyst. [FR Doc. 2018–27288 Filed 12–17–18; 8:45 am] BILLING CODE 4830–01–P DEPARTMENT OF VETERANS AFFAIRS Privacy Act of 1974; System of Records AGENCY: Department of Veterans Affairs (VA). ACTION: Notice of a new system of records. The Privacy Act of 1974 requires that all agencies publish in the Federal Register a notice of the existence and character of their systems of records. Notice is hereby given that the Department of Veterans Affairs (VA) is establishing a new system of records entitled, ‘‘HealthShare Referral Manager (HSRM)–VA’’ (180VA10D). DATES: Comments on this new system of records must be received no later than January 17, 2019. If no public comment is received during the period allowed for comment or unless otherwise published in the Federal Register by VA, the new system will become effective January 17, 2019. If VA receives public comments, VA shall review the comments to determine whether any changes to the notice are necessary. SUMMARY: Written comments concerning the new system of records may be submitted by: Mail or handdelivery to Director, Regulations Management (00REG), Department of Veterans Affairs, 810 Vermont Avenue NW, Room 1068, Washington, DC 20420; fax to (202) 273–9026; or Email to http://www.Regulations.gov. Comments should indicate that they are submitted in response to ‘‘HealthShare Referral Manager (HSRM)–VA’’ (180VA10D). All comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8:00 a.m. and 4:30 p.m., Monday through Friday (except holidays). Please call (202) 461–4902 (this is not a toll-free number) for an appointment. ADDRESSES: FOR FURTHER INFORMATION CONTACT: Kevin Kania, Program Manager, Community Care Referrals and E:\FR\FM\18DEN1.SGM 18DEN1 64936 Federal Register / Vol. 83, No. 242 / Tuesday, December 18, 2018 / Notices Authorization (CCRA) System, Office of Community Care, Hines Office of Information and Technology Field Office, Edward Hines, Jr. VA Hospital, P.O. Box 7008, Building 37, Room 128, Hines, IL 60141; telephone at (815) 254– 0334. (This is not a toll-free number.) SUPPLEMENTARY INFORMATION: amozie on DSK3GDR082PROD with NOTICES I. Description of Proposed Systems of Records CCRA is an enterprise-wide solution in support of the Veterans Access, Choice, and Accountability Act of 2014 (Pub. L. 113–146) (‘‘Choice Act’’), as amended by the VA Expiring Authorities Act of 2014 (Pub. L. 113– 175), to generate referrals and authorizations for Veterans receiving care in the community. VA clinical providers and Non-VA clinical providers will access a cloud based software system to request and refer clinical care for Veterans with Non-VA Community Care providers. This solution will enhance Veteran access to care by utilizing a common and modern system to orchestrate the complex business of VA referral management. The CCRA solution is an integral component of the VA Community Care (CC) Information Technology (IT) architecture, and will track and share health care information and correspondence necessary for Veterans to be seen for appropriate and approved episodes of CC. The CCRA solution will allow the VA to move to a process that generates standardized referrals and authorizations, according to clinical and business rules. The CCRA project completed a contract to provide HealthShare Referral Manager by Intersystems as the CCRA solution. HealthShare Referral Manager is a commercial off-the-shelf software product that will be hosted in an Amazon Web Services (AWS) FedRAMP High Gov cloud and is planned for enterprise integration with VA systems, both inside and outside of CC. II. Proposed Routine Use Disclosures of Data in the System We are proposing to establish the following Routine Use disclosures of information maintained in the system. To the extent that records contained in the system include information protected by 38 U.S.C. 7332, i.e., medical treatment information related to drug abuse, alcoholism or alcohol abuse, sickle cell anemia or infection with the human immunodeficiency virus; information protected by 38 U.S.C. 5705, i.e., quality assurance records; or information protected by 45 CFR parts 160 and 164, i.e., individually identifiable health information, such VerDate Sep<11>2014 00:45 Dec 18, 2018 Jkt 247001 information cannot be disclosed under a routine use unless there is also specific statutory authority permitting the disclosure. VA may disclose protected health information pursuant to the following routine uses where required or permitted by law. 1. VA may disclose information from the record of an individual in response to an inquiry from the congressional office made at the request of that individual. VA must be able to provide information about individuals to adequately respond to inquiries from Members of Congress at the request of constituents who have sought their assistance. 2. VA may disclose information from this system to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that there has been a breach of the system of records; (2) VA has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, VA (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with VA’s efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm. 3. VA may disclose information in this system, except the names and home addresses of Veterans and their dependents, which is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal or regulatory in nature and whether arising by general or program statute or by regulation, rule or order issued pursuant thereto, to a Federal, state, local, tribal, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule or order. On its own initiative, VA may also disclose the names and addresses of Veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto. VA must be able to provide on its own initiative information that pertains to a violation of laws to law enforcement authorities in order for them to investigate and enforce those laws. Under 38 U.S.C. 5701(a) and (f), VA may only disclose the names and addresses of Veterans and their dependents to Federal entities with law enforcement responsibilities. This is distinct from the PO 00000 Frm 00128 Fmt 4703 Sfmt 4703 authority to disclose records in response to a qualifying request from a law enforcement entity, as authorized by Privacy Act subsection 5 U.S.C. 552a(b)(7). 4. VA may disclose information from this system of records to the Department of Justice (DoJ), either on VA’s initiative or in response to DoJ’s request for the information, after either VA or DoJ determines that such information is relevant to DoJ’s representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that release of the records to the DoJ is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA must be able to provide information to DoJ in litigation where the United States or any of its components is involved or has an interest. A determination would be made in each instance that under the circumstances involved, the purpose is compatible with the purpose for which VA collected the information. This routine use is distinct from the authority to disclose records in response to a court order under subsection (b)(11) of the Privacy Act, 5 U.S.C. 552(b)(11), or any other provision of subsection (b), in accordance with the court’s analysis in Doe v. DiGenova, 779 F.2d 74, 78–84 (D.C. Cir. 1985) and Doe v. Stephens, 851 F.2d 1457, 1465–67 (D.C. Cir. 1988). 5. VA may disclose information from this system of records to individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to perform such services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor, subcontractor, public or private agency, or other entity or individual with whom VA has a contract or agreement to perform services under the contract or agreement. This routine use includes disclosures by an individual or entity performing services for VA to any secondary entity or individual to perform an activity that is necessary for individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to provide the E:\FR\FM\18DEN1.SGM 18DEN1 amozie on DSK3GDR082PROD with NOTICES Federal Register / Vol. 83, No. 242 / Tuesday, December 18, 2018 / Notices service to VA. This routine use, which also applies to agreements that do not qualify as contracts defined by Federal procurement laws and regulations, is consistent with the Office of Management and Budget (OMB) guidance in OMB Circular A–108, paragraph 6(j) that agencies promulgate routine uses to address disclosure of Privacy Act-protected information to contractors in order to perform the services contracts for the agency. 6. VA may disclose information from this system to the Equal Employment Opportunity Commission (EEOC) when requested in connection with investigations of alleged or possible discriminatory practices, examination of Federal affirmative employment programs, or other functions of the Commission as authorized by law or regulation. VA must be able to provide information to EEOC to assist it in fulfilling its duties to protect employees’ rights, as required by statute and regulation. 7. VA may disclose information from this system to the Federal Labor Relations Authority (FLRA), including its General Counsel, information related to the establishment of jurisdiction, investigation, and resolution of allegations of unfair labor practices, or in connection with the resolution of exceptions to arbitration awards when a question of material fact is raised; for it to address matters properly before the Federal Services Impasses Panel, investigate representation petitions, and conduct or supervise representation elections. VA must be able to provide information to FLRA to comply with the statutory mandate under which it operates. 8. VA may disclose information from this system to the Merit Systems Protection Board (MSPB), or the Office of the Special Counsel, when requested in connection with appeals, special studies of the civil service and other merit systems, review of rules and regulations, investigation of alleged or possible prohibited personnel practices, and such other functions promulgated in 5 U.S.C. 1205 and 1206, or as authorized by law. VA must be able to provide information to MSPB to assist it in fulfilling its duties as required by statute and regulation. 9. VA may disclose information from this system to the National Archives and Records Administration (NARA) and General Services Administration (GSA) in records management inspections conducted under Title 44, U.S.C. NARA is responsible for archiving old records which are no longer actively used but may be appropriate for preservation, and for the physical maintenance of the VerDate Sep<11>2014 00:45 Dec 18, 2018 Jkt 247001 Federal government’s records. VA must be able to provide the records to NARA in order to determine the proper disposition of such records. 10. Data breach response and remedial efforts with another Federal agency: VA may disclose information from this system to another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach. 11. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs. 12. VA may disclose relevant health care information to (a) a Federal agency or non-VA health care provider or institution when VA refers a patient for hospital or nursing home care or medical services, or authorizes a patient to obtain non-VA medical services, and the information is needed by the Federal agency or non-VA institution or provider to perform the services, or (b) a Federal agency or a non-VA hospital (Federal, State and local, public, or private) or other medical installation having hospital facilities, blood banks, or similar institutions, medical schools or clinics, or other groups or individuals that have contracted or agreed to provide medical services or share the use of medical resources under the provisions of 38 U.S.C. 513, 7409, 8111, or 8153, when treatment is rendered by VA under the terms of such contract or agreement, or the issuance of an authorization, and the information is needed for purposes of medical treatment and/or follow-up, determining entitlement to a benefit, or recovery of the costs of the medical care. III. Compatibility of the Proposed Routine Uses The Privacy Act permits VA to disclose information about individuals without their consent for a routine use when the information will be used for a purpose that is compatible with the purpose for which VA collected the information. In all of the routine use disclosures described above, either the recipient of the information will use the information in connection with a matter relating to one of VA’s programs, to PO 00000 Frm 00129 Fmt 4703 Sfmt 4703 64937 provide a benefit to the VA, or to disclose information as required by law. Under section 264, Subtitle F of Title II of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Public Law 104–191, 100 Stat. 1936, 2033–34 (1996), the United States Department of Health and Human Services (HHS) published a final rule, as amended, establishing Standards for Privacy of Individually-Identifiable health Information, 45 CFR parts 160 and 164. Veterans Health Administration (VHA) may not disclose individually identifiable health information (as defined in HIPAA and the Privacy Rule, 42 U.S.C. 1320(d)(6) and 45 CFR 164.501) pursuant to a routine use unless either: (a) The disclosure is required by law, or (b) the disclosure is also permitted or required by HHS’ Privacy Rule. The disclosures of individually-identifiable health information contemplated in the routine uses published in this new system of records notice are permitted under the Privacy Rule or required by law. However, to also have authority to make such disclosures under the Privacy Act, VA must publish these routine uses. Consequently, VA is publishing these routine uses to the routine uses portion of the system of records notice stating that any disclosure pursuant to the routine uses in this system of records notice must be either required by law or permitted by the Privacy Rule, before VHA may disclose the covered information. The notice of intent to publish and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director, Office of Management and Budget, as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000. Signing Authority The Senior Agency Official for Privacy, or designee, approved this document and authorized the undersigned to sign and submit the document to the Office of the Federal Register for publication electronically as an official document of the Department of Veterans Affairs. James B. Ford, Acting Executive Director for Privacy, Quality, Privacy, and Risk, Department of Veterans Affairs approved this document on July 16, 2018 for publication. E:\FR\FM\18DEN1.SGM 18DEN1 64938 Federal Register / Vol. 83, No. 242 / Tuesday, December 18, 2018 / Notices Dated: December 13, 2018. Kathleen M. Manwell, Program Analyst, VA Privacy Service, Office of Information and Technology, Department of Veterans Affairs. SYSTEM NAME AND NUMBER: HealthShare Referral Manager (HSRM)-VA (180VA10D) SECURITY CLASSIFICATION: Unclassified. SYSTEM LOCATION: Amazon Web Services, LLC, 13461 Sunrise Valley Drive, Herndon, VA 20171–3283. Community Care Referrals and Authorization (CCRA) System Program Manager, Office of Community Care, Hines Office of Information and Technology Field Office, Edward Hines, Jr. VA Hospital, P.O. Box 7008, Building 37, Room 128, Hines, IL 60141. SYSTEM MANAGER(S): Officials responsible for policies and procedures: Program Manager, VHA Office of Community Care (10D), Health Eligibility Center, 2957 Clairmont Road, Suite 200 Atlanta, GA 30329–1647. Telephone number (815) -254–0334. (This is not a toll-free number.) AUTHORITY FOR MAINTENANCE OF THE SYSTEM: Title 38, United States Code, section 7301(a) and Veterans Access, Choice, and Accountability Act of 2014 (Pub. L. 113–146). amozie on DSK3GDR082PROD with NOTICES CCRA is an enterprise-wide system used by community care staff to automatically generate referrals and authorizations for all Veterans receiving care in the community. The system is an integral component of the VA community care information technology (IT) architecture, and will allow Veterans to receive care from community providers within the Community Care Network through the Veterans Choice Program. The CCRA system will allow these providers to view relevant patient and clinical information from Veterans Information Systems and Technology Architecture (VistA). The exchange of health care information and authorizations will enhance VA’s ability to ensure that Veterans receive the best health care available to address their medical needs. The CCRA system will also enable the VA to move from what is currently a largely manual process to an automated process that generates standardized referrals and authorizations according to clinical and business rules. The automated process will decrease the administrative burden on VA clinical and community care staff members by 00:45 Dec 18, 2018 CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: The records include information concerning: 1. Veterans who have applied for health care services under Title 38, United States Code, Chapter 17, and in certain cases members of their immediate families. 2. Individuals examined or treated under contract or resource sharing agreements. 3. Individuals who were provided medical care under emergency conditions for humanitarian reasons. 4. Health care professionals providing examination or treatment to any individuals within VA health care facilities. 5. Healthcare professionals providing examination or treatment to individuals under contract or resource sharing agreements or CC programs, such as Choice. 6. Patients and members of their immediate family, volunteers, maintenance personnel, as well as individuals working collaboratively with VA. 7. Contractors, sub-contractors, contract personnel, students, providers and consultants. CATEGORIES OF RECORDS IN THE SYSTEM: PURPOSE(S) OF THE SYSTEM: VerDate Sep<11>2014 way of establishing clinical and business pathways that which reflect best processes, consistent outcomes, and reduced turnaround times. Jkt 247001 The records may include information and health information related to: 1. Identifying information (e.g., name, birth date, death date, admission date, discharge date, gender, social security number, taxpayer identification number); address information (e.g., home and/or mailing address, home telephone number, emergency contact information such as name, address, telephone number, and relationship); prosthetic and sensory aid serial numbers; medical record numbers; integration control numbers; information related to medical examination or treatment (e.g., location of VA medical facility providing examination or treatment, treatment dates, medical conditions treated or noted on examination); information related to military service and status. 2. Computer access authorizations, computer applications available and used, information access attempts, frequency and time of use; identification of the person responsible for, currently assigned, or otherwise engaged in various categories of patient care or support of health care delivery. 3. Application, eligibility, and claim information regarding payment PO 00000 Frm 00130 Fmt 4703 Sfmt 4703 determination for medical services provided to VA beneficiaries by non-VA health care institutions and providers. 4. Health care provider’s name, address, and taxpayer identification number, correspondence concerning individuals and documents pertaining to claims for medical services, reasons for denial of payment, and appellate determinations. RECORD SOURCE CATEGORIES: The Veteran or other VA beneficiary, family members or accredited representatives, and other third parties; private medical facilities and healthcare professionals; health insurance carriers; other Federal agencies; employees; contractors; VHA facilities and automated systems providing clinical and managerial support at VA health care facilities. ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES: 1. VA may disclose information from the record of an individual in response to an inquiry from the congressional office made at the request of that individual. 2. VA may disclose information from this system to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that there has been a breach of the system of records; (2) VA has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, VA (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with VA’s efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm. This routine use permits disclosures by the Department to respond to a suspected or confirmed data breach, including the conduct of any risk analysis or provision of credit protection services as provided in 38 U.S.C. 5724 a. Effective Response. A Federal agency’s ability to respond quickly and effectively in the event of a breach of Federal data is critical to its efforts to prevent or minimize any consequent harm. An effective response necessitates disclosure of information regarding the breach to those individuals affected by it, as well as to persons and entities in a position to cooperate, either by assisting in notification to affected individuals or playing a role in preventing or minimizing harms from the breach. E:\FR\FM\18DEN1.SGM 18DEN1 amozie on DSK3GDR082PROD with NOTICES Federal Register / Vol. 83, No. 242 / Tuesday, December 18, 2018 / Notices b. Disclosure of Information. Often, the information to be disclosed to such persons and entities is maintained by Federal agencies and is subject to the Privacy Act (5 U.S.C. 552a). The Privacy Act prohibits the disclosure of any record in a system of records by any means of communication to any person or agency absent the written consent of the subject individual, unless the disclosure falls within one of twelve statutory exceptions. In order to ensure an agency is in the best position to respond in a timely and effective manner, in accordance with 5 U.S.C. 552a(b)(3) of the Privacy Act, agencies should publish a routine use for appropriate systems specifically applying to the disclosure of information in connection with response and remedial efforts in the event of a data breach. 3. VA may, on its own initiative, disclose information in this system, except the names and home addresses of Veterans and their dependents, which is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal or regulatory in nature and whether arising by general or program statute or by regulation, rule or order issued pursuant thereto, to a Federal, state, local, tribal, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule or order. On its own initiative, VA may also disclose the names and addresses of Veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto. 4. VA may disclose information from this system of records to the Department of Justice (DoJ), either on VA’s initiative or in response to DoJ’s request for the information, after either VA or DoJ determines that such information is relevant to DoJ’s representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that release of the records to the DoJ is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of VerDate Sep<11>2014 00:45 Dec 18, 2018 Jkt 247001 the information contained in the records that is compatible with the purpose for which VA collected the records. 5. VA may disclose information from this system of records to individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to perform such services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor, subcontractor, public or private agency, or other entity or individual with whom VA has a contract or agreement to perform services under the contract or agreement. 6. VA may disclose information from this system to the Equal Employment Opportunity Commission (EEOC) when requested in connection with investigations of alleged or possible discriminatory practices, examination of Federal affirmative employment programs, or other functions of the Commission as authorized by law or regulation. 7. VA may disclose information from this system to the Federal Labor Relations Authority (FLRA), including its General Counsel, information related to the establishment of jurisdiction, investigation, and resolution of allegations of unfair labor practices, or in connection with the resolution of exceptions to arbitration awards when a question of material fact is raised; for it to address matters properly before the Federal Service Impasses Panel, investigate representation petitions, and conduct or supervise representation elections. 8. VA may disclose information from this system to the Merit Systems Protection Board (MSPB), or the Office of the Special Counsel, when requested in connection with appeals, special studies of the civil service and other merit systems, review of rules and regulations, investigation of alleged or possible prohibited personnel practices, and such other functions promulgated in 5 U.S.C. 1205 and 1206, or as authorized by law. 9. VA may disclose information from this system to the National Archives and Records Administration (NARA) and General Services Administration (GSA) in records management inspections conducted under title 44, U.S.C. NARA is responsible for archiving old records which are no longer actively used but may be appropriate for preservation, and for the physical maintenance of the Federal government’s records. 10. VA may disclose information from this system to another Federal agency or Federal entity, when VA determines that information from this system of PO 00000 Frm 00131 Fmt 4703 Sfmt 4703 64939 records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach. 11. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs. 12. VA may disclose relevant health care information to (a) a Federal agency or non-VA health care provider or institution when VA refers a patient for hospital or nursing home care or medical services, or authorizes a patient to obtain non-VA medical services, and the information is needed by the Federal agency or non-VA institution or provider to perform the services, or (b) a Federal agency or a non-VA hospital (Federal, State and local, public, or private) or other medical installation having hospital facilities, blood banks, or similar institutions, medical schools or clinics, or other groups or individuals that have contracted or agreed to provide medical services or share the use of medical resources under the provisions of 38 U.S.C. 513, 7409, 8111, or 8153, when treatment is rendered by VA under the terms of such contract or agreement, or the issuance of an authorization, and the information is needed for purposes of medical treatment and/or follow-up, determining entitlement to a benefit, or recovery of the costs of the medical care. POLICIES AND PRACTICES FOR STORAGE OF RECORDS: CCRA relies on information in VistA, and only collects information related to referrals. Referral information is maintained as part of the individual’s electronic health care record in accordance with the rules applied to those records. The CCRA system is hosted in Amazon Web Services (AWS) Government Cloud (GovCloud) infrastructure as a service cloudcomputing environment that has been authorized at the high-impact level under the Federal Risk and Authorization Management Program (FedRAMP). The secure site-to-site encrypted network connection is limited to access via the VA trusted internet connection (TIC). E:\FR\FM\18DEN1.SGM 18DEN1 64940 Federal Register / Vol. 83, No. 242 / Tuesday, December 18, 2018 / Notices POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS: Records are retrieved by name, social security number or other assigned identifiers of the individuals on whom they are maintained. POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS: These patient appointment and appointment schedules records shall be maintained per Record Control Schedule (RCS) 10–1 item; 2201.1. According to General Records Scehdule (GRS) 5.1 item 010, DAA–GRS–2017– 0003–0001, temporary destroy transitory records, messages coordinating schedules, appointments, and events when no longer needed for business use, or according to agency predetermined time or business rule. ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS: amozie on DSK3GDR082PROD with NOTICES 1. CCRA has physical controls and securely stores digital and non-digital media defined within the latest revision of NIST SP 800–88, Guidelines for VerDate Sep<11>2014 00:45 Dec 18, 2018 Jkt 247001 Media Sanitization, and VA 6500, within controlled areas; and protects information system media until the media is destroyed or sanitized using approved equipment, techniques, and procedures. 2. The CCRA system is hosted in Amazon Web Services (AWS) Government Cloud (GovCloud) infrastructure as a service cloudcomputing environment that has been authorized at the high-impact level under the Federal Risk and Authorization Management Program (FedRAMP). The secure site-to-site encrypted network connection is limited to access via the VA trusted internet connection (TIC). RECORD ACCESS PROCEDURES: Frm 00132 Fmt 4703 Sfmt 9990 (See Record Access Procedures above.) NOTIFICATION PROCEDURES: An individual who wishes to determine whether a record is being maintained in this system under his or her name or other personal identifier, or wants to review the contents of such record, should submit a written request or apply in person to the last VA health care facility where care was rendered. All inquiries must reasonably describe the portion of the medical record involved and the place and approximate date that medical care was provided. Inquiries should include the patient’s full name, social security number, and return address. EXEMPTIONS PROMULGATED FOR THE SYSTEM: Individuals seeking information regarding access to and contesting of records in this system may write, call or visit the VA facility location where medical care was provided or VHA Office of Community Care. PO 00000 CONTESTING RECORD PROCEDURES: None. HISTORY: None. [FR Doc. 2018–27334 Filed 12–17–18; 8:45 am] BILLING CODE P E:\FR\FM\18DEN1.SGM 18DEN1

Agencies

[Federal Register Volume 83, Number 242 (Tuesday, December 18, 2018)]
[Notices]
[Pages 64935-64940]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-27334]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: The Privacy Act of 1974 requires that all agencies publish in 
the Federal Register a notice of the existence and character of their 
systems of records. Notice is hereby given that the Department of 
Veterans Affairs (VA) is establishing a new system of records entitled, 
``HealthShare Referral Manager (HSRM)-VA'' (180VA10D).

DATES: Comments on this new system of records must be received no later 
than January 17, 2019. If no public comment is received during the 
period allowed for comment or unless otherwise published in the Federal 
Register by VA, the new system will become effective January 17, 2019. 
If VA receives public comments, VA shall review the comments to 
determine whether any changes to the notice are necessary.

ADDRESSES: Written comments concerning the new system of records may be 
submitted by: Mail or hand-delivery to Director, Regulations Management 
(00REG), Department of Veterans Affairs, 810 Vermont Avenue NW, Room 
1068, Washington, DC 20420; fax to (202) 273-9026; or Email to http://www.Regulations.gov. Comments should indicate that they are submitted 
in response to ``HealthShare Referral Manager (HSRM)-VA'' (180VA10D). 
All comments received will be available for public inspection in the 
Office of Regulation Policy and Management, Room 1063B, between the 
hours of 8:00 a.m. and 4:30 p.m., Monday through Friday (except 
holidays). Please call (202) 461-4902 (this is not a toll-free number) 
for an appointment.

FOR FURTHER INFORMATION CONTACT: Kevin Kania, Program Manager, 
Community Care Referrals and

[[Page 64936]]

Authorization (CCRA) System, Office of Community Care, Hines Office of 
Information and Technology Field Office, Edward Hines, Jr. VA Hospital, 
P.O. Box 7008, Building 37, Room 128, Hines, IL 60141; telephone at 
(815) 254-0334. (This is not a toll-free number.)

SUPPLEMENTARY INFORMATION:

I. Description of Proposed Systems of Records

    CCRA is an enterprise-wide solution in support of the Veterans 
Access, Choice, and Accountability Act of 2014 (Pub. L. 113-146) 
(``Choice Act''), as amended by the VA Expiring Authorities Act of 2014 
(Pub. L. 113-175), to generate referrals and authorizations for 
Veterans receiving care in the community. VA clinical providers and 
Non-VA clinical providers will access a cloud based software system to 
request and refer clinical care for Veterans with Non-VA Community Care 
providers. This solution will enhance Veteran access to care by 
utilizing a common and modern system to orchestrate the complex 
business of VA referral management. The CCRA solution is an integral 
component of the VA Community Care (CC) Information Technology (IT) 
architecture, and will track and share health care information and 
correspondence necessary for Veterans to be seen for appropriate and 
approved episodes of CC. The CCRA solution will allow the VA to move to 
a process that generates standardized referrals and authorizations, 
according to clinical and business rules.
    The CCRA project completed a contract to provide HealthShare 
Referral Manager by Intersystems as the CCRA solution. HealthShare 
Referral Manager is a commercial off-the-shelf software product that 
will be hosted in an Amazon Web Services (AWS) FedRAMP High Gov cloud 
and is planned for enterprise integration with VA systems, both inside 
and outside of CC.

II. Proposed Routine Use Disclosures of Data in the System

    We are proposing to establish the following Routine Use disclosures 
of information maintained in the system. To the extent that records 
contained in the system include information protected by 38 U.S.C. 
7332, i.e., medical treatment information related to drug abuse, 
alcoholism or alcohol abuse, sickle cell anemia or infection with the 
human immunodeficiency virus; information protected by 38 U.S.C. 5705, 
i.e., quality assurance records; or information protected by 45 CFR 
parts 160 and 164, i.e., individually identifiable health information, 
such information cannot be disclosed under a routine use unless there 
is also specific statutory authority permitting the disclosure. VA may 
disclose protected health information pursuant to the following routine 
uses where required or permitted by law.
    1. VA may disclose information from the record of an individual in 
response to an inquiry from the congressional office made at the 
request of that individual. VA must be able to provide information 
about individuals to adequately respond to inquiries from Members of 
Congress at the request of constituents who have sought their 
assistance.
    2. VA may disclose information from this system to appropriate 
agencies, entities, and persons when (1) VA suspects or has confirmed 
that there has been a breach of the system of records; (2) VA has 
determined that as a result of the suspected or confirmed breach there 
is a risk of harm to individuals, VA (including its information 
systems, programs, and operations), the Federal Government, or national 
security; and (3) the disclosure made to such agencies, entities, and 
persons is reasonably necessary to assist in connection with VA's 
efforts to respond to the suspected or confirmed breach or to prevent, 
minimize, or remedy such harm.
    3. VA may disclose information in this system, except the names and 
home addresses of Veterans and their dependents, which is relevant to a 
suspected or reasonably imminent violation of law, whether civil, 
criminal or regulatory in nature and whether arising by general or 
program statute or by regulation, rule or order issued pursuant 
thereto, to a Federal, state, local, tribal, or foreign agency charged 
with the responsibility of investigating or prosecuting such violation, 
or charged with enforcing or implementing the statute, regulation, rule 
or order. On its own initiative, VA may also disclose the names and 
addresses of Veterans and their dependents to a Federal agency charged 
with the responsibility of investigating or prosecuting civil, criminal 
or regulatory violations of law, or charged with enforcing or 
implementing the statute, regulation, rule or order issued pursuant 
thereto. VA must be able to provide on its own initiative information 
that pertains to a violation of laws to law enforcement authorities in 
order for them to investigate and enforce those laws. Under 38 U.S.C. 
5701(a) and (f), VA may only disclose the names and addresses of 
Veterans and their dependents to Federal entities with law enforcement 
responsibilities. This is distinct from the authority to disclose 
records in response to a qualifying request from a law enforcement 
entity, as authorized by Privacy Act subsection 5 U.S.C. 552a(b)(7).
    4. VA may disclose information from this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that release of the records to the DoJ 
is a use of the information contained in the records that is compatible 
with the purpose for which VA collected the records. VA, on its own 
initiative, may disclose records in this system of records in legal 
proceedings before a court or administrative body after determining 
that the disclosure of the records to the court or administrative body 
is a use of the information contained in the records that is compatible 
with the purpose for which VA collected the records. VA must be able to 
provide information to DoJ in litigation where the United States or any 
of its components is involved or has an interest. A determination would 
be made in each instance that under the circumstances involved, the 
purpose is compatible with the purpose for which VA collected the 
information. This routine use is distinct from the authority to 
disclose records in response to a court order under subsection (b)(11) 
of the Privacy Act, 5 U.S.C. 552(b)(11), or any other provision of 
subsection (b), in accordance with the court's analysis in Doe v. 
DiGenova, 779 F.2d 74, 78-84 (D.C. Cir. 1985) and Doe v. Stephens, 851 
F.2d 1457, 1465-67 (D.C. Cir. 1988).
    5. VA may disclose information from this system of records to 
individuals, organizations, private or public agencies, or other 
entities or individuals with whom VA has a contract or agreement to 
perform such services as VA may deem practicable for the purposes of 
laws administered by VA, in order for the contractor, subcontractor, 
public or private agency, or other entity or individual with whom VA 
has a contract or agreement to perform services under the contract or 
agreement. This routine use includes disclosures by an individual or 
entity performing services for VA to any secondary entity or individual 
to perform an activity that is necessary for individuals, 
organizations, private or public agencies, or other entities or 
individuals with whom VA has a contract or agreement to provide the

[[Page 64937]]

service to VA. This routine use, which also applies to agreements that 
do not qualify as contracts defined by Federal procurement laws and 
regulations, is consistent with the Office of Management and Budget 
(OMB) guidance in OMB Circular A-108, paragraph 6(j) that agencies 
promulgate routine uses to address disclosure of Privacy Act-protected 
information to contractors in order to perform the services contracts 
for the agency.
    6. VA may disclose information from this system to the Equal 
Employment Opportunity Commission (EEOC) when requested in connection 
with investigations of alleged or possible discriminatory practices, 
examination of Federal affirmative employment programs, or other 
functions of the Commission as authorized by law or regulation. VA must 
be able to provide information to EEOC to assist it in fulfilling its 
duties to protect employees' rights, as required by statute and 
regulation.
    7. VA may disclose information from this system to the Federal 
Labor Relations Authority (FLRA), including its General Counsel, 
information related to the establishment of jurisdiction, 
investigation, and resolution of allegations of unfair labor practices, 
or in connection with the resolution of exceptions to arbitration 
awards when a question of material fact is raised; for it to address 
matters properly before the Federal Services Impasses Panel, 
investigate representation petitions, and conduct or supervise 
representation elections. VA must be able to provide information to 
FLRA to comply with the statutory mandate under which it operates.
    8. VA may disclose information from this system to the Merit 
Systems Protection Board (MSPB), or the Office of the Special Counsel, 
when requested in connection with appeals, special studies of the civil 
service and other merit systems, review of rules and regulations, 
investigation of alleged or possible prohibited personnel practices, 
and such other functions promulgated in 5 U.S.C. 1205 and 1206, or as 
authorized by law. VA must be able to provide information to MSPB to 
assist it in fulfilling its duties as required by statute and 
regulation.
    9. VA may disclose information from this system to the National 
Archives and Records Administration (NARA) and General Services 
Administration (GSA) in records management inspections conducted under 
Title 44, U.S.C. NARA is responsible for archiving old records which 
are no longer actively used but may be appropriate for preservation, 
and for the physical maintenance of the Federal government's records. 
VA must be able to provide the records to NARA in order to determine 
the proper disposition of such records.
    10. Data breach response and remedial efforts with another Federal 
agency: VA may disclose information from this system to another Federal 
agency or Federal entity, when VA determines that information from this 
system of records is reasonably necessary to assist the recipient 
agency or entity in (1) responding to a suspected or confirmed breach 
or (2) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    11. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    12. VA may disclose relevant health care information to (a) a 
Federal agency or non-VA health care provider or institution when VA 
refers a patient for hospital or nursing home care or medical services, 
or authorizes a patient to obtain non-VA medical services, and the 
information is needed by the Federal agency or non-VA institution or 
provider to perform the services, or (b) a Federal agency or a non-VA 
hospital (Federal, State and local, public, or private) or other 
medical installation having hospital facilities, blood banks, or 
similar institutions, medical schools or clinics, or other groups or 
individuals that have contracted or agreed to provide medical services 
or share the use of medical resources under the provisions of 38 U.S.C. 
513, 7409, 8111, or 8153, when treatment is rendered by VA under the 
terms of such contract or agreement, or the issuance of an 
authorization, and the information is needed for purposes of medical 
treatment and/or follow-up, determining entitlement to a benefit, or 
recovery of the costs of the medical care.

III. Compatibility of the Proposed Routine Uses

    The Privacy Act permits VA to disclose information about 
individuals without their consent for a routine use when the 
information will be used for a purpose that is compatible with the 
purpose for which VA collected the information. In all of the routine 
use disclosures described above, either the recipient of the 
information will use the information in connection with a matter 
relating to one of VA's programs, to provide a benefit to the VA, or to 
disclose information as required by law.
    Under section 264, Subtitle F of Title II of the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA) Public Law 104-191, 
100 Stat. 1936, 2033-34 (1996), the United States Department of Health 
and Human Services (HHS) published a final rule, as amended, 
establishing Standards for Privacy of Individually-Identifiable health 
Information, 45 CFR parts 160 and 164. Veterans Health Administration 
(VHA) may not disclose individually identifiable health information (as 
defined in HIPAA and the Privacy Rule, 42 U.S.C. 1320(d)(6) and 45 CFR 
164.501) pursuant to a routine use unless either: (a) The disclosure is 
required by law, or (b) the disclosure is also permitted or required by 
HHS' Privacy Rule. The disclosures of individually-identifiable health 
information contemplated in the routine uses published in this new 
system of records notice are permitted under the Privacy Rule or 
required by law. However, to also have authority to make such 
disclosures under the Privacy Act, VA must publish these routine uses. 
Consequently, VA is publishing these routine uses to the routine uses 
portion of the system of records notice stating that any disclosure 
pursuant to the routine uses in this system of records notice must be 
either required by law or permitted by the Privacy Rule, before VHA may 
disclose the covered information.
    The notice of intent to publish and an advance copy of the system 
notice have been sent to the appropriate Congressional committees and 
to the Director, Office of Management and Budget, as required by 5 
U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 
77677), December 12, 2000.

Signing Authority

    The Senior Agency Official for Privacy, or designee, approved this 
document and authorized the undersigned to sign and submit the document 
to the Office of the Federal Register for publication electronically as 
an official document of the Department of Veterans Affairs. James B. 
Ford, Acting Executive Director for Privacy, Quality, Privacy, and 
Risk, Department of Veterans Affairs approved this document on July 16, 
2018 for publication.


[[Page 64938]]


    Dated: December 13, 2018.
Kathleen M. Manwell,
Program Analyst, VA Privacy Service, Office of Information and 
Technology, Department of Veterans Affairs.

SYSTEM NAME AND NUMBER:
    HealthShare Referral Manager (HSRM)-VA (180VA10D)

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Amazon Web Services, LLC, 13461 Sunrise Valley Drive, Herndon, VA 
20171-3283. Community Care Referrals and Authorization (CCRA) System 
Program Manager, Office of Community Care, Hines Office of Information 
and Technology Field Office, Edward Hines, Jr. VA Hospital, P.O. Box 
7008, Building 37, Room 128, Hines, IL 60141.

SYSTEM MANAGER(S):
    Officials responsible for policies and procedures: Program Manager, 
VHA Office of Community Care (10D), Health Eligibility Center, 2957 
Clairmont Road, Suite 200 Atlanta, GA 30329-1647. Telephone number 
(815) -254-0334. (This is not a toll-free number.)

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 38, United States Code, section 7301(a) and Veterans Access, 
Choice, and Accountability Act of 2014 (Pub. L. 113-146).

PURPOSE(S) OF THE SYSTEM:
    CCRA is an enterprise-wide system used by community care staff to 
automatically generate referrals and authorizations for all Veterans 
receiving care in the community. The system is an integral component of 
the VA community care information technology (IT) architecture, and 
will allow Veterans to receive care from community providers within the 
Community Care Network through the Veterans Choice Program. The CCRA 
system will allow these providers to view relevant patient and clinical 
information from Veterans Information Systems and Technology 
Architecture (VistA). The exchange of health care information and 
authorizations will enhance VA's ability to ensure that Veterans 
receive the best health care available to address their medical needs. 
The CCRA system will also enable the VA to move from what is currently 
a largely manual process to an automated process that generates 
standardized referrals and authorizations according to clinical and 
business rules. The automated process will decrease the administrative 
burden on VA clinical and community care staff members by way of 
establishing clinical and business pathways that which reflect best 
processes, consistent outcomes, and reduced turnaround times.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The records include information concerning:
    1. Veterans who have applied for health care services under Title 
38, United States Code, Chapter 17, and in certain cases members of 
their immediate families.
    2. Individuals examined or treated under contract or resource 
sharing agreements.
    3. Individuals who were provided medical care under emergency 
conditions for humanitarian reasons.
    4. Health care professionals providing examination or treatment to 
any individuals within VA health care facilities.
    5. Healthcare professionals providing examination or treatment to 
individuals under contract or resource sharing agreements or CC 
programs, such as Choice.
    6. Patients and members of their immediate family, volunteers, 
maintenance personnel, as well as individuals working collaboratively 
with VA.
    7. Contractors, sub-contractors, contract personnel, students, 
providers and consultants.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records may include information and health information related 
to:
    1. Identifying information (e.g., name, birth date, death date, 
admission date, discharge date, gender, social security number, 
taxpayer identification number); address information (e.g., home and/or 
mailing address, home telephone number, emergency contact information 
such as name, address, telephone number, and relationship); prosthetic 
and sensory aid serial numbers; medical record numbers; integration 
control numbers; information related to medical examination or 
treatment (e.g., location of VA medical facility providing examination 
or treatment, treatment dates, medical conditions treated or noted on 
examination); information related to military service and status.
    2. Computer access authorizations, computer applications available 
and used, information access attempts, frequency and time of use; 
identification of the person responsible for, currently assigned, or 
otherwise engaged in various categories of patient care or support of 
health care delivery.
    3. Application, eligibility, and claim information regarding 
payment determination for medical services provided to VA beneficiaries 
by non-VA health care institutions and providers.
    4. Health care provider's name, address, and taxpayer 
identification number, correspondence concerning individuals and 
documents pertaining to claims for medical services, reasons for denial 
of payment, and appellate determinations.

RECORD SOURCE CATEGORIES:
    The Veteran or other VA beneficiary, family members or accredited 
representatives, and other third parties; private medical facilities 
and healthcare professionals; health insurance carriers; other Federal 
agencies; employees; contractors; VHA facilities and automated systems 
providing clinical and managerial support at VA health care facilities.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    1. VA may disclose information from the record of an individual in 
response to an inquiry from the congressional office made at the 
request of that individual.
    2. VA may disclose information from this system to appropriate 
agencies, entities, and persons when (1) VA suspects or has confirmed 
that there has been a breach of the system of records; (2) VA has 
determined that as a result of the suspected or confirmed breach there 
is a risk of harm to individuals, VA (including its information 
systems, programs, and operations), the Federal Government, or national 
security; and (3) the disclosure made to such agencies, entities, and 
persons is reasonably necessary to assist in connection with VA's 
efforts to respond to the suspected or confirmed breach or to prevent, 
minimize, or remedy such harm.
    This routine use permits disclosures by the Department to respond 
to a suspected or confirmed data breach, including the conduct of any 
risk analysis or provision of credit protection services as provided in 
38 U.S.C. 5724
    a. Effective Response. A Federal agency's ability to respond 
quickly and effectively in the event of a breach of Federal data is 
critical to its efforts to prevent or minimize any consequent harm. An 
effective response necessitates disclosure of information regarding the 
breach to those individuals affected by it, as well as to persons and 
entities in a position to cooperate, either by assisting in 
notification to affected individuals or playing a role in preventing or 
minimizing harms from the breach.

[[Page 64939]]

    b. Disclosure of Information. Often, the information to be 
disclosed to such persons and entities is maintained by Federal 
agencies and is subject to the Privacy Act (5 U.S.C. 552a). The Privacy 
Act prohibits the disclosure of any record in a system of records by 
any means of communication to any person or agency absent the written 
consent of the subject individual, unless the disclosure falls within 
one of twelve statutory exceptions. In order to ensure an agency is in 
the best position to respond in a timely and effective manner, in 
accordance with 5 U.S.C. 552a(b)(3) of the Privacy Act, agencies should 
publish a routine use for appropriate systems specifically applying to 
the disclosure of information in connection with response and remedial 
efforts in the event of a data breach.
    3. VA may, on its own initiative, disclose information in this 
system, except the names and home addresses of Veterans and their 
dependents, which is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal or regulatory in nature and 
whether arising by general or program statute or by regulation, rule or 
order issued pursuant thereto, to a Federal, state, local, tribal, or 
foreign agency charged with the responsibility of investigating or 
prosecuting such violation, or charged with enforcing or implementing 
the statute, regulation, rule or order. On its own initiative, VA may 
also disclose the names and addresses of Veterans and their dependents 
to a Federal agency charged with the responsibility of investigating or 
prosecuting civil, criminal or regulatory violations of law, or charged 
with enforcing or implementing the statute, regulation, rule or order 
issued pursuant thereto.
    4. VA may disclose information from this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that release of the records to the DoJ 
is a use of the information contained in the records that is compatible 
with the purpose for which VA collected the records. VA, on its own 
initiative, may disclose records in this system of records in legal 
proceedings before a court or administrative body after determining 
that the disclosure of the records to the court or administrative body 
is a use of the information contained in the records that is compatible 
with the purpose for which VA collected the records.
    5. VA may disclose information from this system of records to 
individuals, organizations, private or public agencies, or other 
entities or individuals with whom VA has a contract or agreement to 
perform such services as VA may deem practicable for the purposes of 
laws administered by VA, in order for the contractor, subcontractor, 
public or private agency, or other entity or individual with whom VA 
has a contract or agreement to perform services under the contract or 
agreement.
    6. VA may disclose information from this system to the Equal 
Employment Opportunity Commission (EEOC) when requested in connection 
with investigations of alleged or possible discriminatory practices, 
examination of Federal affirmative employment programs, or other 
functions of the Commission as authorized by law or regulation.
    7. VA may disclose information from this system to the Federal 
Labor Relations Authority (FLRA), including its General Counsel, 
information related to the establishment of jurisdiction, 
investigation, and resolution of allegations of unfair labor practices, 
or in connection with the resolution of exceptions to arbitration 
awards when a question of material fact is raised; for it to address 
matters properly before the Federal Service Impasses Panel, investigate 
representation petitions, and conduct or supervise representation 
elections.
    8. VA may disclose information from this system to the Merit 
Systems Protection Board (MSPB), or the Office of the Special Counsel, 
when requested in connection with appeals, special studies of the civil 
service and other merit systems, review of rules and regulations, 
investigation of alleged or possible prohibited personnel practices, 
and such other functions promulgated in 5 U.S.C. 1205 and 1206, or as 
authorized by law.
    9. VA may disclose information from this system to the National 
Archives and Records Administration (NARA) and General Services 
Administration (GSA) in records management inspections conducted under 
title 44, U.S.C. NARA is responsible for archiving old records which 
are no longer actively used but may be appropriate for preservation, 
and for the physical maintenance of the Federal government's records.
    10. VA may disclose information from this system to another Federal 
agency or Federal entity, when VA determines that information from this 
system of records is reasonably necessary to assist the recipient 
agency or entity in (1) responding to a suspected or confirmed breach 
or (2) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    11. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    12. VA may disclose relevant health care information to (a) a 
Federal agency or non-VA health care provider or institution when VA 
refers a patient for hospital or nursing home care or medical services, 
or authorizes a patient to obtain non-VA medical services, and the 
information is needed by the Federal agency or non-VA institution or 
provider to perform the services, or (b) a Federal agency or a non-VA 
hospital (Federal, State and local, public, or private) or other 
medical installation having hospital facilities, blood banks, or 
similar institutions, medical schools or clinics, or other groups or 
individuals that have contracted or agreed to provide medical services 
or share the use of medical resources under the provisions of 38 U.S.C. 
513, 7409, 8111, or 8153, when treatment is rendered by VA under the 
terms of such contract or agreement, or the issuance of an 
authorization, and the information is needed for purposes of medical 
treatment and/or follow-up, determining entitlement to a benefit, or 
recovery of the costs of the medical care.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    CCRA relies on information in VistA, and only collects information 
related to referrals. Referral information is maintained as part of the 
individual's electronic health care record in accordance with the rules 
applied to those records. The CCRA system is hosted in Amazon Web 
Services (AWS) Government Cloud (GovCloud) infrastructure as a service 
cloud-computing environment that has been authorized at the high-impact 
level under the Federal Risk and Authorization Management Program 
(FedRAMP). The secure site-to-site encrypted network connection is 
limited to access via the VA trusted internet connection (TIC).

[[Page 64940]]

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are retrieved by name, social security number or other 
assigned identifiers of the individuals on whom they are maintained.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    These patient appointment and appointment schedules records shall 
be maintained per Record Control Schedule (RCS) 10-1 item; 2201.1. 
According to General Records Scehdule (GRS) 5.1 item 010, DAA-GRS-2017-
0003-0001, temporary destroy transitory records, messages coordinating 
schedules, appointments, and events when no longer needed for business 
use, or according to agency predetermined time or business rule.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    1. CCRA has physical controls and securely stores digital and non-
digital media defined within the latest revision of NIST SP 800-88, 
Guidelines for Media Sanitization, and VA 6500, within controlled 
areas; and protects information system media until the media is 
destroyed or sanitized using approved equipment, techniques, and 
procedures.
    2. The CCRA system is hosted in Amazon Web Services (AWS) 
Government Cloud (GovCloud) infrastructure as a service cloud-computing 
environment that has been authorized at the high-impact level under the 
Federal Risk and Authorization Management Program (FedRAMP). The secure 
site-to-site encrypted network connection is limited to access via the 
VA trusted internet connection (TIC).

RECORD ACCESS PROCEDURES:
    Individuals seeking information regarding access to and contesting 
of records in this system may write, call or visit the VA facility 
location where medical care was provided or VHA Office of Community 
Care.

CONTESTING RECORD PROCEDURES:
    (See Record Access Procedures above.)

NOTIFICATION PROCEDURES:
    An individual who wishes to determine whether a record is being 
maintained in this system under his or her name or other personal 
identifier, or wants to review the contents of such record, should 
submit a written request or apply in person to the last VA health care 
facility where care was rendered. All inquiries must reasonably 
describe the portion of the medical record involved and the place and 
approximate date that medical care was provided. Inquiries should 
include the patient's full name, social security number, and return 
address.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    None.
[FR Doc. 2018-27334 Filed 12-17-18; 8:45 am]
 BILLING CODE P