Privacy Act of 1974; System of Records, 84119-84122 [2020-28342]

Agencies

• DEPARTMENT OF VETERANS AFFAIRS

[Federal Register Volume 85, Number 247 (Wednesday, December 23, 2020)]
[Notices]
[Pages 84119-84122]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-28342]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Veterans Health Administration (VHA).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: As required by the Privacy Act of 1974 notice is hereby given 
that the Department of Veterans Affairs (VA) is amending the system of 
records entitled, ``Consolidated Data Information System-VA'' 
(97VA10P1) as set forth in the Federal Register 80 FR 11524. VA is 
amending the system of records by revising the System Number; 
Categories of Individuals Covered By the System; Categories of Records 
in the System; Record Source Categories; Routine Uses of Records 
Maintained in the System and Policies; Policies and Practices for 
Storage of Records; Policies and Practices for Retrieval of Records; 
Policies and Practices for Retention and Disposal of Records; 
Administrative, Technical, and Physical Safeguards; Record Access 
Procedure; and Appendix. VA is republishing the system notice in its 
entirety.

DATES: Comments on the amendment of this system of records must be 
received no later than January 22, 2021. If no public comment is 
received during the period allowed for comment or unless otherwise 
published in the Federal Register by VA, the amended system will become 
effective January 22, 2021.

ADDRESSES: Comments may be submitted through www.Regulations.gov or 
mailed to VA Privacy Service, 810 Vermont Avenue NW, (005R1A), 
Washington, DC 20420. Comments should indicate that they are submitted 
in response to ``Consolidated Data Information System-VA (97VA10P1)''. 
Comments received will be available at regulations.gov for public 
viewing, inspection or copies.

FOR FURTHER INFORMATION CONTACT: Stephania Griffin, Veterans Health 
Administration (VHA) Privacy Officer, Department of Veterans Affairs, 
810 Vermont Avenue NW, Washington, DC 20420, (704) 245-2492.

SUPPLEMENTARY INFORMATION: The System Number will be changed from 
97VA10P1 to 97VA10 to reflect the current VHA organizational routing 
symbol.
    The Categories of Individuals Covered by the System is being 
amended to include VA-enrolled Veterans. This section will remove 
individuals who are not beneficiaries.

[[Page 84120]]

    The Categories of Records in the System is being amended to change 
``VHA Survey of Veteran Enrollees' Health and Reliance Upon VA'' to 
``VA Survey of Veteran Enrollees' Health and Use of Health Care''. This 
section will include prescription drugs along with patient assessments 
for patients receiving care from CMS certified facilities. The records 
also include data from United States Renal Data Systems (USRDS) for 
patients with chronic and end-stage renal disease. This section will 
remove records including information on Medicaid beneficiaries' 
utilization and enrollment from state databases. Also being removed is 
assessment files including Veteran and non-Veteran data.
    The Records Source Categories is being amended to change Patient 
Medical Records System (24VA136) to Patient Medical Records-VA 
(24VA10A7), Patient Fee Basis Medical and Pharmacy Records (23VA136) 
change to Non-VA Care (Fee) Records-VA (23VA10NB3), and 38VA23 change 
to 38VA21.
    The Routine Uses of Records Maintained in the System is amending 
the language in Routine Use #5 which states that disclosure of the 
records to the Department of Justice (DoJ) is a use of the information 
contained in the records that is compatible with the purpose for which 
VA collected the records. VA may disclose records in this system of 
records in legal proceedings before a court or administrative body 
after determining that the disclosure of the records to the court or 
administrative body is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records. This routine use will now state that release of the records to 
the DoJ is limited to circumstances where relevant and necessary to the 
litigation. VA may disclose records in this system of records in legal 
proceedings before a court or administrative body after determining 
that release of the records to the DoJ is limited to circumstances 
where relevant and necessary to the litigation.
    Routine Use #7 has been amended by clarifying the language to 
state, ``VA may disclose any information or records to appropriate 
agencies, entities, and persons when (1) VA suspects or has confirmed 
that there has been a breach of the system of records; (2) VA has 
determined that as a result of the suspected or confirmed breach there 
is a risk to individuals, VA (including its information systems, 
programs, and operations), the Federal Government, or national 
security; and (3) the disclosure made to such agencies, entities, or 
persons is reasonably necessary to assist in connection with VA efforts 
to respond to the suspected or confirmed breach or to prevent, 
minimize, or remedy such harm.''
    Routine use #13 is being added to state, ``VA may disclose 
information from this system of records to another Federal agency or 
Federal entity, when VA determines that information from this system of 
records is reasonably necessary to assist the recipient agency or 
entity in (1) responding to a suspected or confirmed breach or (2) 
preventing, minimizing, or remedying the risk of harm to individuals, 
the recipient agency or entity (including its information systems, 
programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.''
    Policies and Practices for Storage of Records section is being 
amended to remove that Data are maintained on magnetic tape, disk, or 
laser optical media. This section will now state that the data is 
maintained on VA approved removable media, VA approved and audited 
external servers and VA controlled systems.
    Policies and Practices for Retrieval of Records is being amended to 
remove VA claim number, name, name and one or more criteria (e.g., 
dates of birth, death and service). This section will include system 
beneficiary identifier.
    Policies and Practices for Retention and Disposal of Records is 
being amended to remove that records will be maintained and disposed of 
in accordance with the records disposal authority approved by the 
Archivist of the United States, the National Archives and Records 
Administration, and published in Agency Records Control Schedules. This 
section will now state that in accordance with Records Control Schedule 
10-1, 2201.2: Records that are intermediary and temporary can be 
destroyed upon verification of successful creation of the final 
document or file, or when no longer needed for business use, whichever 
is later. (GRS 5.2 item 020, DAA-GRS-2017-0003-0001).
    Administrative, Technical, and Physical Safeguards section is being 
amended to remove 2. Access to Automated Data Processing files is 
controlled at two levels: (1) Terminals, central processing units, and 
peripheral devices are generally placed in secure areas (areas that are 
locked or have limited access) or are otherwise protected; and (2) the 
system recognizes authorized users by means of an individually unique 
password entered in combination with an individually unique user 
identification code. 3. Access to automated records concerning 
identification codes and codes used to access various VA automated 
communications systems and records systems, as well as security 
profiles and possible security violations is limited to designated 
automated systems security personnel who need to know the information 
in order to maintain and monitor the security of VA's automated 
communications and Veterans' claim records systems. Access to these 
records in automated form is controlled by individually unique 
passwords and codes. Agency personnel may have access to the 
information on a need to know basis when necessary to advise agency 
security personnel or for use to suspend or revoke access privileges or 
to make disclosures authorized by a routine use. This section will now 
replace number 2 with: Access to VA computer systems and data stored 
within these systems is restricted through secure username/or 
electronic access card and password requirements.
    Record Access Procedure is being amended to remove name or other 
personal identifier. This section will include the SSN.
    VA Appendix 5 is amending number 1 to replace of Office of the 
Assistant Deputy Under Secretary for Health (ADUSH) for Policy and 
Planning with Office of Policy and Planning/Chief Strategy Office. 
Being deleted are items 2. VA Information Resource Center (VIReC), 
Hines VA Medical Center, 5th Ave & Roosevelt Ave, Hines, IL 60141. 
Veterans Health Administration (VHA), 810 Vermont Avenue NW, 
Washington, DC 20420 and items 3. Office of the Assistant Deputy Under 
Secretary for Health (ADUSH) for Policy and Planning, 811 Vermont 
Avenue NW, Washington, DC 20420, Silver Spring, MD, and/or Martinsburg, 
WV. Item 5 which is now number 3 is replacing VA facilities with 
``Other VA controlled systems''.

Signing Authority

    The Senior Agency Official for Privacy, or designee, approved this 
document and authorized the undersigned to sign and submit the document 
to the Office of the Federal Register for publication electronically as 
an official document of the Department of Veterans Affairs. James P. 
Gfrerer, Assistant Secretary of Information and Technology and Chief 
Information Officer, approved this document on November 10, 2020 for 
publication.


[[Page 84121]]


    Dated: December 18, 2020.
Amy L. Rose,
Program Analyst, VA Privacy Service, Office of Information Security, 
Office of Information and Technology, Department of Veterans Affairs.

SYSTEM NAME AND NUMBER:
    ``Consolidated Data Information System-VA'' (97VA10)

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Records will be maintained at Department of Veteran Affairs (VA) 
Veterans Health Administration (VHA) sites for the Centers for Medicare 
and Medicaid Services (CMS) data (see VA Appendix 5).

SYSTEM MANAGER(S):
    Manager, Medicare and Medicaid Analysis Center, 100 Grandview Road, 
Suite 114, Braintree, MA 02184.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Section 527 of 38 U.S.C. and the Government Performance and Results 
Act of 1993, Public Law 103-62.

PURPOSE(S) OF THE SYSTEM:
    The purpose of this system of records is to conduct statistical 
studies and analyses which will support the formulation of Departmental 
policies and plans by identifying the total current health care usage 
of the VA patient population. The records and information may be used 
by VA in evaluation of Department programs. The information may be used 
to conduct research.

CATEGORIES OF INDIVIDUALS COVERED BY THIS SYSTEM:
    Records include information concerning VA-enrolled Veterans, their 
spouses and their dependents, family members, active duty military 
personnel, individuals who are not VA enrollees but who receive health 
care services from VHA and other non-Veterans.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Categories of records in the system will include Veterans' names, 
addresses, dates of birth, VA claim numbers, Social Security numbers 
(SSN), and military service information, medical benefit application 
and eligibility information, code sheets and follow-up notes, 
sociological, diagnostic, counseling, rehabilitation, drug and alcohol, 
dietetic, medical, surgical, dental, psychological, and/or psychiatric 
medical information, prosthetic, pharmacy, nuclear medicine, social 
work, clinical laboratory and radiology information, patient scheduling 
information, family information such as next of kin, spouse and 
dependents' names, addresses, Social Security numbers and dates of 
birth, family medical history, employment information, financial 
information, third-party health plan information, information related 
to registry systems, date of death, VA claim and insurance file 
numbers, travel benefits information, military decorations, disability 
or pension payment information, amount of indebtedness arising from 38 
U.S.C. benefits, applications for compensation, pension, education and 
rehabilitation benefits, information related to incarceration in a 
penal institution, medication profile such as name, quantity, 
prescriber, dosage, manufacturer, lot number, cost and administration 
instruction, pharmacy dispensing information such as pharmacy name and 
address.
    The records will include information on Medicare and Medicaid 
beneficiaries from CMS databases including information related to 
health care usage, demographics, enrollment, prescription drugs and 
survey files. The records also include patient assessments for patients 
receiving care from CMS certified facilities. The records also include 
data from United States Renal Data Systems (USRDS) for patients with 
chronic and end-stage renal disease.
    The records include information on Veterans enrolled for VA health 
care who have participated in the periodic ``VA Survey of Veteran 
Enrollees' Health and Use of Health Care''.
    The records also include information on: Civilian Health and 
Medical Program of the Department of Veterans Affairs (CHAMPVA), VA/DOD 
Identity Repository (VADIR), as well as the Operations Enduring Freedom 
and Operations Iraqi Freedom (OEF/OIF) roster (Defense Manpower Data 
Center).

RECORD SOURCE CATEGORIES:
    Information may be obtained from the Patient Medical Records-VA 
(24VA10A7), Non-VA Care (Fee) Records-VA (23VA10NB3), Veterans and 
Beneficiaries Identification and Records Location Subsystem (38VA21), 
Compensation, Pension, Education and Rehabilitation Records (58VA21/
22), all other potential VA and non-VA sources of Veteran demographic 
information, and CMS databases. The records also include information 
from: CHAMPVA, VADIR, as well as the OEF/OIF roster (Defense Manpower 
Data Center), and USRDS.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    VA may disclose protected health information pursuant to the 
following routine uses where required by law, or required or permitted 
by 45 CFR parts 160 and 164.
    1. VA may disclose any information in this system, except the names 
and home addresses of Veterans and their dependents, which is relevant 
to a suspected or reasonably imminent violation of law, whether civil, 
criminal or regulatory in nature and whether arising by general or 
program statute or by regulation, rule or order issued pursuant 
thereto, to a State, local or foreign agency charged with the 
responsibility of investigating or prosecuting such violation, or 
charged with enforcing or implementing the statute, regulation, rule or 
order. VA may also disclose the names and addresses of Veterans and 
their dependents to a Federal agency charged with the responsibility of 
investigating or prosecuting civil, criminal or regulatory violations 
of law, or charged with enforcing or implementing the statute, 
regulation, rule or order issued pursuant thereto.
    2. Disclosure may be made, excluding name and address (unless name 
and address are furnished by the requestor) for research purposes 
determined to be necessary and proper to epidemiological and other 
research facilities approved by the System Manager or the Under 
Secretary for Health, or designee.
    3. Any record in the system of records may be disclosed to a 
Federal agency for the conduct of research and data analysis to perform 
a statutory purpose of that Federal agency upon the prior written 
request of that agency, provided that there is legal authority under 
all applicable confidentiality statutes and regulations to provide the 
data and VHA Medicare and Medicaid Analysis Center (MAC) has determined 
prior to the disclosure that VA data handling requirements are 
satisfied. MAC may disclose limited individual identification 
information to another Federal agency for the purpose of matching and 
acquiring information held by that agency for MAC to use for the 
purposes stated for this system of records.
    4. Disclosure may be made to National Archives and Records 
Administration (NARA) in records management inspections conducted under 
authority of title 44 United States Code.
    5. VA may disclose information in this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the

[[Page 84122]]

information, after either VA or DoJ determines that such information is 
relevant to DoJ's representation of the United States or any of its 
components in legal proceedings before a court or adjudicative body, 
provided that, in each case, the agency also determines prior to 
disclosure that release of the records to the DoJ is limited to 
circumstances where relevant and necessary to the litigation. VA may 
disclose records in this system of records in legal proceedings before 
a court or administrative body after determining that release of the 
records to the DoJ is limited to circumstances where relevant and 
necessary to the litigation.
    6. Disclosure may be made to individuals, organizations, private or 
public agencies, or other entities or individuals with whom VA has a 
contract or agreement to perform such services as VA may deem 
practicable for the purposes of laws administered by VA, in order for 
the contractor, subcontractor, public or private agency, or other 
entity or individual with whom VA has an agreement or contract to 
perform the services of the contract or agreement. This routine use 
includes disclosures by the individual or entity performing the service 
for VA to any secondary entity or individual to perform an activity 
that is necessary for individuals, organizations, private or public 
agencies, or other entities or individuals with whom VA has a contract 
or agreement to provide the service to VA.
    7. VA may disclose any information or records to appropriate 
agencies, entities, and persons when: (1) VA suspects or has confirmed 
that there has been a breach of the system of records; (2) VA has 
determined that as a result of the suspected or confirmed breach there 
is a risk to individuals, VA (including its information systems, 
programs, and operations), the Federal Government, or national 
security; and (3) the disclosure made to such agencies, entities, or 
persons is reasonably necessary to assist in connection with VA efforts 
to respond to the suspected or confirmed breach or to prevent, 
minimize, or remedy such harm.
    8. The record of an individual who is covered by a system of 
records may be disclosed to a Member of Congress, or a staff person 
acting for the member, when the member or staff person requests the 
record on behalf of and at the written request of the individual.
    9. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    10. To disclose information to the Equal Employment Opportunity 
Commission when requested in connection with investigations of alleged 
or possible discriminatory practices, examination of Federal 
affirmative employment programs, or the other functions of the 
Commission as authorized by law or regulation.
    11. To disclose information to officials of the Merit Systems 
Protection Board, when requested in connection with appeals, special 
studies of the civil service and other merit systems, review of rules 
and regulations, investigation of alleged or possible prohibited 
personnel practices, and such other functions, promulgated in 5 U.S.C. 
1205 and 1206, or as may be authorized by law.
    12. To disclose to the Federal Labor Relations Authority (including 
its General Counsel) information related: (1) To the establishment of 
jurisdiction, the investigation and resolution of allegations of unfair 
labor practices, or information in connection with the resolution of 
exceptions to arbitration awards when a question of material fact is 
raised; (2) to disclose information in matters properly before the 
Federal Service Impasses Panel; and (3) to investigate representation 
petitions and conduct or supervise representation elections.
    13. VA may disclose information from this system to another Federal 
agency or Federal entity, when VA determines that information from this 
system of records is reasonably necessary to assist the recipient 
agency or entity in (1) responding to a suspected or confirmed breach 
or (2) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Data is maintained on VA approved removable media, VA approved and 
audited external servers and VA controlled systems.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records may be retrieved by SSN or system beneficiary identifier.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Copies of back-up computer files will be maintained at primary and 
secondary VA recipient sites for CMS data (see Appendix 5). In 
accordance with Records Control Schedule 10-1, 2201.2: Records that are 
intermediary and temporary can be destroyed upon verification of 
successful creation of the final document or file; or when no longer 
needed for business use, whichever is later. (GRS 5.2 item 020, DAA-
GRS-2017-0003-0001).

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    1. Access to and use of these records is limited to those persons 
whose official duties require such access. Personnel screening is 
employed to prevent unauthorized disclosure.
    2. Access to VA computer systems and data stored within these 
systems is restricted through secure username/or electronic access card 
and password requirements.
    3. Access to VA facilities where identification codes, passwords, 
security profiles and possible security violations are maintained is 
controlled at all hours by the Federal Protective Service, VA or other 
security personnel and security access control devices.

RECORD ACCESS PROCEDURE:
    An individual who seeks access to records maintained under his/her 
SSN may write the System Manager named above and specify the 
information being contested.

CONTESTING RECORD PROCEDURES:
    (See Record Access Procedures).

NOTIFICATION PROCEDURE:
    Individuals wishing to inquire whether this system of records 
contains information about them should submit a signed written request 
to the Manager, Medicare and Medicaid Analysis Center, 100 Grandview 
Road, Suite 114, Braintree, MA 02184.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    Last full publication provided in 76 FR 25409 dated May 4, 2011.

VA Appendix 5

    1. VA Medicare and Medicaid Analysis Center, field unit of 
Office of Policy and Planning/Chief Strategy Office, 100 Grandview 
Road, Suite 114, Braintree, MA 02184.
    2. Austin Information Technology Center, 1615 Woodward Street, 
Austin, TX 78772.
    3. Other VA controlled systems.

[FR Doc. 2020-28342 Filed 12-22-20; 8:45 am]
BILLING CODE P