Privacy Act of 1974; System of Records, 6979-6985 [2021-01510]

Agencies

• DEPARTMENT OF VETERANS AFFAIRS

[Federal Register Volume 86, Number 14 (Monday, January 25, 2021)]
[Notices]
[Pages 6979-6985]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-01510]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA), Veterans Health 
Administration (VHA).

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: The Privacy Act of 1974 requires that all agencies publish in 
the Federal Register a notice of the existence and character of their 
systems of records. Notice is hereby given that the Department of 
Veterans Affairs (VA) is establishing a new system of records entitled, 
``Community Care (CC) Provider Profile Management System (PPMS)-VA'' 
(186VA10D).

DATES: Comments on this new system of records must be received no later 
than 30 days after date of publication in the Federal Register. If no 
public comment is received during the period allowed for comment or 
unless otherwise published in the Federal Register by VA, the new 
system of records will become effective a minimum of 30 days after date 
of publication in the Federal Register. If VA receives public comments, 
VA shall review the comments to determine whether any changes to the 
notice are necessary.

ADDRESSES: Written comments concerning the new system of records may be 
submitted by: Mail or hand-delivery to Director, Regulations Management 
(00REG), Department of Veterans Affairs, 810 Vermont Avenue NW, Room 
1068, Washington, DC 20420; fax to (202) 273-9026; or Email to https://www.Regulations.gov. Comments should indicate that they are submitted 
in response to ``Community Care Provider Profile Management System 
(PPMS)-VA'' (186VA10D). All comments received will be available for 
public inspection in the Office of Regulation Policy and Management, 
Room 1063B, between the hours of 8:00 a.m. and 4:30 p.m., Monday 
through Friday (except holidays). Please call (202) 461-4902 (this is 
not a toll-free number) for an appointment.

FOR FURTHER INFORMATION CONTACT: CC Program Manager Office of 
Information and Technology (OIT), Enterprise Portfolio Management 
Division (EPMD), St. Petersburg Field Office, 9500 Bay Pines Boulevard, 
St. Petersburg, Florida 33708, Mailing Address: P.O. Box 1437, St. 
Petersburg, Florida 33708; telephone at (727) 230-9032 (this is not a 
toll-free number). VHA Office of Community Care, P.O. Box 469066, 
Denver, Colorado 80246.

SUPPLEMENTARY INFORMATION: 

I. Description of Proposed Systems of Records

    The Community Care (CC) Provider Profile Management System (PPMS) 
is focused on the implementation and maintenance of a provider 
directory to be used by the multiple VA portfolios in maintaining the 
Community Care Network (CCN), TriWest Patient-Centered Community Care 
(PC3) and Choice Program, Individual Care Agreements, Veteran Care 
Agreements, VA Medical Center (VAMC) Local Contracts, Indian Health 
Service Providers, Department of Defense facilities, and VAMC 
providers.

II. Proposed Routine Use Disclosures of Data in the System

    We are proposing to establish the following Routine Use disclosures 
of information maintained in the system. PPMS will collect and retain 
personally identifiable information on non-VA health care providers. VA 
Provider publically available data is retained in the system, no 
personally identifiable information is collected on VA providers. These 
providers will be conducting health services with VA.
    1. VA may disclose information from the record of an individual in 
response to an inquiry from the congressional office made at the 
request of that individual. VA must be able to provide information 
about individuals to adequately respond to inquiries from Members of 
Congress at the request of constituents who have sought their 
assistance.
    2. VA may disclose any information or records to appropriate 
agencies, entities, and persons when (1) VA suspects or has confirmed 
that there has been a breach of the system of records; (2) VA has 
determined that as a result of the suspected or confirmed breach there 
is a risk to individuals, VA (including its information systems, 
programs, and operations), the Federal Government, or national 
security; and (3) the disclosure made to such agencies, entities, or 
persons is reasonably necessary to assist in connection with VA efforts 
to respond to the suspected or confirmed breach or to prevent, 
minimize, or remedy such harm.
    3. VA may disclose information in this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or

[[Page 6980]]

adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that release of the records to the DoJ 
is limited to circumstances where relevant and necessary to the 
litigation. VA may disclose records in this system of records in legal 
proceedings before a court or administrative body after determining 
that release of the records to the DoJ is limited to circumstances 
where relevant and necessary to the litigation.
    4. VA may disclose information from this system of records to 
individuals, organizations, private or public agencies, or other 
entities or individuals with whom VA has a contract or agreement to 
perform such services as VA may deem practicable for the purposes of 
laws administered by VA, in order for the contractor, subcontractor, 
public or private agency, or other entity or individual with whom VA 
has a contract or agreement to perform services under the contract or 
agreement. This routine use includes disclosures by an individual or 
entity performing services for VA to any secondary entity or individual 
to perform an activity that is necessary for individuals, 
organizations, private or public agencies, or other entities or 
individuals with whom VA has a contract or agreement to provide the 
service to VA. This routine use, which also applies to agreements that 
do not qualify as contracts defined by Federal procurement laws and 
regulations, is consistent with OMB guidance in OMB Circular A-130, 
App. I, paragraph 5a(1)(b) that agencies promulgate routine uses to 
address disclosure of Privacy Act-protected information to contractors 
in order to perform the services contracts for the agency.
    5. VA may disclose information from this system to the Equal 
Employment Opportunity Commission (EEOC) when requested in connection 
with investigations of alleged or possible discriminatory practices, 
examination of Federal affirmative employment programs, or other 
functions of the Commission as authorized by law or regulation. VA must 
be able to provide information to EEOC to assist it in fulfilling its 
duties to protect employees' rights, as required by statute and 
regulation.
    6. VA may disclose information from this system to the Federal 
Labor Relations Authority (FLRA), including its General Counsel, 
information related to the establishment of jurisdiction, 
investigation, and resolution of allegations of unfair labor practices, 
or in connection with the resolution of exceptions to arbitration 
awards when a question of material fact is raised; for it to address 
matters properly before the Federal Services Impasses Panel, 
investigate representation petitions, and conduct or supervise 
representation elections. VA must be able to provide information to 
FLRA to comply with the statutory mandate under which it operates.
    7. VA may disclose information from this system to the Merit 
Systems Protection Board (MSPB), or the Office of the Special Counsel, 
when requested in connection with appeals, special studies of the civil 
service and other merit systems, review of rules and regulations, 
investigation of alleged or possible prohibited personnel practices, 
and such other functions promulgated in 5 U.S.C. 1205 and 1206, or as 
authorized by law. VA must be able to provide information to MSPB to 
assist it in fulfilling its duties as required by statute and 
regulation.
    8. VA may disclose information from this system to the National 
Archives and Records Administration (NARA) and General Services 
Administration (GSA) in records management inspections conducted under 
title 44, U.S.C. NARA is responsible for archiving old records which 
are no longer actively used but may be appropriate for preservation, 
and for the physical maintenance of the Federal government's records. 
Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    9. VA may disclose relevant information to: (1) A Federal agency or 
CC institutions and providers when VA refers a patient for hospital or 
nursing home care or medical services, or authorizes a patient to 
obtain non-VA medical services and the information is needed by the 
Federal agency or non-VA institution or provider to perform the 
services; or (2) a Federal agency or to a non-VA hospital (Federal, 
state, and local public or private) or other medical installation 
having hospital facilities, organ banks, blood banks, or similar 
institutions, medical schools or clinics, or other groups or 
individuals that have contracted or agreed to provide medical services 
or share the use of medical resources under the provisions of 38 U.S.C. 
513, 7409, 8111, or 8153, when treatment is rendered by VA under the 
terms of such contract or agreement or the issuance of an 
authorization, and the information is needed for purposes of medical 
treatment and/or follow-up, determining entitlement to a benefit, or 
for VA to effect recovery of the costs of the medical care.
    10. VA may disclose information in this system, to a Federal, 
state, or local agency maintaining civil or criminal violation records, 
or other pertinent information such as prior employment history, prior 
Federal employment background investigations, and/or personal or 
educational background in order for VA to obtain information relevant 
to the hiring, transfer or retention of an employee, the letting of a 
contract, the granting of a security clearance, or the issuance of a 
grant or other benefit.
    11. VA may disclose information from this system of records to a 
Federal agency or the District of Columbia government, in response to 
its request, in connection with the hiring or retention of an employee 
and the issuance of a security clearance as required by law, the 
reporting of an investigation of an employee, the issuance of a 
license, grant, or other benefit by the requesting agency, to the 
extent that the information is relevant and necessary to the requesting 
agency's decision.
    12. Any information in this system may be disclosed to a state or 
local agency, upon its official request, to the extent that it is 
relevant and necessary to that agency's decision on: The hiring, 
transfer or retention of an employee, the issuance of a security 
clearance, the letting of a contract, or the issuance or continuance of 
a license, grant or other benefit by the agency; provided, that the 
name and address is provided first by the requesting state or local 
agency.
    13. VA may disclose information concerning CC providers, including 
name, address, and national provider idententification numbers which 
may be disclosed to the Department of the Treasury, Internal Revenue 
Service, to report calendar year earnings of $600 or more for income 
tax reporting purposes.
    14. VA may disclose information to the Department of the Treasury 
to facilitate payments to physicians, clinics, and pharmacies for 
reimbursement of services rendered, and to veterans for reimbursements 
of authorized expenses, or to collect, by set off or otherwise, debts 
owed the United States.
    15. VA may disclose any relevant information from this system of 
records to attorneys, insurance companies, employers, third parties 
liable or potentially liable under health plan contracts, and to 
courts, boards, or commissions, but only to the extent necessary to aid 
VA in the preparation, presentation, and prosecution of claims 
authorized under Federal, state, or local laws, and regulations 
promulgated thereunder.

[[Page 6981]]

    16. VA may disclose identifying information in this system, 
including name, address, social security number, and other information 
as is reasonably necessary to identify such individual, to the National 
Practitioner Data Bank at the time of hiring and/or clinical 
privileging/re-privileging of health care practitioners, and other 
times as deemed necessary by VA, in order for VA to obtain information 
relevant to a Department decision concerning the hiring, privileging/
re-privileging, retention, or termination of the applicant or employee.
    17. VA may disclose relevant information from this system of 
records to the National Practitioner Data Bank and/or State Licensing 
Board in the state(s) in which a practitioner is licensed, in which the 
VA facility is located, and/or in which an act or omission occurred 
upon which a medical malpractice claim was based when VA reports 
information concerning: (1) Any payment for the benefit of a physician, 
dentist, or other licensed health care practitioner which was made as 
the result of a settlement or judgment of a claim of medical 
malpractice, if an appropriate determination is made in accordance with 
Department policy that payment was related to substandard care, 
professional incompetence, or professional misconduct on the part of 
the individual; (2) a final decision which relates to possible 
incompetence or improper professional conduct that adversely affects 
the clinical privileges of a physician or dentist for a period longer 
than 30 days; or (3) the acceptance of the surrender of clinical 
privileges or any restriction of such privileges by a physician or 
dentist, either while under investigation by the health care entity 
relating to possible incompetence or improper professional conduct, or 
in return for not conducting such an investigation or proceeding. These 
records may also be disclosed as part of a computer matching program to 
accomplish these purposes.
    18. VA may disclose information from this system of records to a 
Federal agency or to a state or local government licensing board and/or 
to the Federation of State Medical Boards or a similar non-governmental 
entity which maintains records concerning individuals' employment 
histories or concerning the issuance, retention, or revocation of 
licenses, certifications, or registration necessary to practice an 
occupation, profession, or specialty, to inform a Federal agency or 
licensing boards or the appropriate non-governmental entities about the 
health care practices of a terminated, resigned, or retired health care 
employee whose professional health care activity so significantly 
failed to conform to generally accepted standards of professional 
medical practice as to raise reasonable concern for the health and 
safety of patients in the private sector or from another Federal 
agency. These records may also be disclosed as part of an ongoing 
computer matching program to accomplish these purposes.
    19. For program review purposes and the seeking of accreditation 
and/or certification, VA may disclose health care information to survey 
teams of the Joint Commission, College of American Pathologists, 
American Association of Blood Banks, and similar national accreditation 
agencies or boards with which VA has a contract or agreement to conduct 
such reviews, but only to the extent that the information is necessary 
and relevant to the review.
    20. VA may disclose information from this system to another Federal 
agency or Federal entity, when VA determines that information from this 
system of records is reasonably necessary to assist the recipient 
agency or entity in (1) responding to a suspected or confirmed breach 
or (2) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    21. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    22. VA may disclose information in this system which is relevant to 
a suspected or reasonably imminent violation of law, whether civil, 
criminal or regulatory in nature and whether arising by general or 
program statute or by regulation, rule or order issued pursuant 
thereto, to a Federal, state, local, tribal, or foreign agency charged 
with the responsibility of investigating or prosecuting such violation, 
or charged with enforcing or implementing the statute, regulation, rule 
or order. VA may also disclose the names and addresses of providers to 
a Federal agency charged with the responsibility of investigating or 
prosecuting civil, criminal or regulatory violations of law, or charged 
with enforcing or implementing the statute, regulation, rule or order 
issued pursuant thereto.

III. Compatibility of the Proposed Routine Uses

    The Privacy Act permits VA to disclose information about 
individuals without their consent for a routine use when the 
information will be used for a purpose that is compatible with the 
purpose for which VA collected the information. In all of the routine 
use disclosures described above, either the recipient of the 
information will use the information in connection with a matter 
relating to one of VA's programs, to provide a benefit to VA, or to 
disclose information as required by law.
    Under section 264, Subtitle F of Title II of the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA) Public Law 104-191, 
100 Stat. 1936, 2033-34 (1996), the United States Department of Health 
and Human Services (HHS) published a final rule, as amended, 
establishing Standards for Privacy of Individually-Identifiable Health 
Information, 45 CFR parts 160 and 164. Veterans Health Administration 
(VHA) may not disclose individually identifiable health information (as 
defined in HIPAA and the Privacy Rule, 42 U.S.C. 1320(d)(6) and 45 CFR 
164.501) pursuant to a routine use unless either: (a) The disclosure is 
required by law, or (b) the disclosure is also permitted or required by 
HHS' Privacy Rule. The disclosures of individually-identifiable health 
information contemplated in the routine uses published in this new 
system of records notice are permitted under the Privacy Rule or 
required by law. However, to also have authority to make such 
disclosures under the Privacy Act, VA must publish these routine uses. 
Consequently, VA is publishing these routine uses to the routine uses 
portion of the system of records notice stating that any disclosure 
pursuant to the routine uses in this system of records notice must be 
either required by law or permitted by the Privacy Rule, before VHA may 
disclose the covered information.
    The notice of intent to publish and an advance copy of the system 
notice have been sent to the appropriate Congressional committees and 
to the Director, Office of Management and Budget, as required by 5 
U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 
77677), December 12, 2000.

Signing Authority

    The Senior Agency Official for Privacy, or designee, approved this 
document and authorized the undersigned to sign and submit the document 
to the Office of the Federal Register for publication electronically as 
an official document of the Department of Veterans Affairs. James P. 
Gfrerer, Assistant Secretary of Information and Technology and Chief 
Information

[[Page 6982]]

Officer, approved this document on May 15, 2020 for publication.

    Dated: January 19, 2021.
Amy L. Rose,
Program Analyst, VA Privacy Service, Office of Information Security, 
Office of Information and Technology, Department of Veterans Affairs.

SYSTEM NAME AND NUMBER:
    Community Care (CC) Provider Profile Management System (PPMS)-VA 
(186VA10D)

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Records are managed by the VHA Office of Community Care (Program 
Office), 3773 Cherry Creek North Drive, Denver, CO 80209.
    Microsoft Azure Cloud customer service: 1-855-270-0615, Privacy 
Data Management: https://azure.microsoft.com/en-us/privacy-data-management/.

SYSTEM MANAGER(S):
    CC Program Manager, VHA Office of Community Care, P.O. Box 469066, 
Denver, CO 80246. Telephone number 303-398-3479 (this is not a toll-
free number).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Public Law 104-191; 5 U.S.C. 301; 38 U.S. Code Sec.  1703; 45 Code 
of Federal Regulations (CFR) part 164; and 4 CFR 103.

PURPOSE(S) OF THE SYSTEM:
    The Community Care (CC) Provider Profile Management System (PPMS) 
is a comprehensive repository of information of VA community providers. 
PPMS collect and retain personally identifiable information on CC 
health care providers or CC providers. VA maintains a directory of 
medical providers internal VAMC medical providers and external CC 
providers which comprise the Community Care Provider Network.
    Provider data is collected in two ways. The CC provider's date of 
birth, tax identification number and/or Social Security Number will be 
collected by CCN contractors and submitted electronically directly to 
PPMS via PPMS secure Integrated Web Services (IWS). A second method of 
collecting the date is by the Medical Support Assistants (MSA), Program 
Support Assistants (PSA), Registered Nurses (RN), and Social Workers 
(Geriatrics and Extended Care (GEC)) at the local VA facility. PPMS 
will provide increased timeliness and quality service to Veterans by 
improved tracking of provider relationships and validating data 
elements, as well as enterprise wide accessibility to a comprehensive 
list of provider information for referrals and scheduling CC services 
for Veterans.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    These records may include information on:
    (1) VA health care providers: This may include, but not limited to 
Dentists, Licensed Practical or Vocational Nurses, Registered Nurses, 
Audiologists, Physician Assistants, Physicians, Podiatrists.
    (2) Non-VA health care providers (CC providers) who through a 
contractual agreement or other agreement may be providing health care 
services to VA patients.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records may include VA providers and non-VA provider's 
information related to: name, status, provider type, provider name, 
national provider identifier/index, provider identifier type, status 
reason, quality ranking total score, quality ranking last updated, 
preferred provider, main phone, email, billing address, internal 
control number, geo code, language, license number, drug enforcement 
administration registration number, certification, tax identification/
social security number and non-VA provider's date of birth.

RECORD SOURCE CATEGORIES:
    Medical Providers or accredited representatives, and other third 
parties; private medical facilities and health care professionals; 
other Federal agencies; employees; contractors; VHA facilities and 
automated systems providing clinical and managerial support at VA 
health care facilities.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    To the extent that records contained in the system include 
information protected by 45 CFR parts 160 and 164, i.e., individually 
identifiable health information, and 38 U.S.C. 7332, i.e., medical 
treatment information related to drug abuse, alcoholism or alcohol 
abuse, sickle cell anemia or infection with the human immunodeficiency 
virus, that information cannot be disclosed under a routine use unless 
there is also specific statutory authority in 38 U.S.C. 7332 and 
regulatory authority in 45 CFR parts 160 and 164 permitting disclosure.
    1. VA may disclose information from the record of an individual in 
response to an inquiry from the congressional office made at the 
request of that individual. VA must be able to provide information 
about individuals to adequately respond to inquiries from Members of 
Congress at the request of constituents who have sought their 
assistance.
    2. VA may disclose any information or records to appropriate 
agencies, entities, and persons when (1) VA suspects or has confirmed 
that there has been a breach of the system of records; (2) VA has 
determined that as a result of the suspected or confirmed breach there 
is a risk to individuals, VA (including its information systems, 
programs, and operations), the Federal Government, or national 
security; and (3) the disclosure made to such agencies, entities, or 
persons is reasonably necessary to assist in connection with VA efforts 
to respond to the suspected or confirmed breach or to prevent, 
minimize, or remedy such harm.
    3. VA may disclose information in this system of records to DoJ, 
either on VA's initiative or in response to DoJ's request for the 
information, after either VA or DoJ determines that such information is 
relevant to DoJ's representation of the United States or any of its 
components in legal proceedings before a court or adjudicative body, 
provided that, in each case, the agency also determines prior to 
disclosure that release of the records to the DoJ is limited to 
circumstances where relevant and necessary to the litigation. VA may 
disclose records in this system of records in legal proceedings before 
a court or administrative body after determining that release of the 
records to the DoJ is limited to circumstances where relevant and 
necessary to the litigation.
    4. VA may disclose information from this system of records to 
individuals, organizations, private or public agencies, or other 
entities or individuals with whom VA has a contract or agreement to 
perform such services as VA may deem practicable for the purposes of 
laws administered by VA, in order for the contractor, subcontractor, 
public or private agency, or other entity or individual with whom VA 
has a contract or agreement to perform services under the contract or 
agreement. This routine use includes disclosures by an individual or 
entity performing services for VA to any secondary entity or individual 
to perform an activity that is necessary for individuals, 
organizations, private or public agencies, or other entities or 
individuals with whom VA has a contract or agreement to provide the

[[Page 6983]]

service to VA. This routine use, which also applies to agreements that 
do not qualify as contracts defined by Federal procurement laws and 
regulations, is consistent with the Office of Management and Budget 
(OMB) guidance in OMB Circular A-130, App. I, paragraph 5a(1)(b) that 
agencies promulgate routine uses to address disclosure of Privacy Act-
protected information to contractors in order to perform the services 
contracts for the agency.
    5. VA may disclose information from this system to EEOC when 
requested in connection with investigations of alleged or possible 
discriminatory practices, examination of Federal affirmative employment 
programs, or other functions of the Commission as authorized by law or 
regulation. VA must be able to provide information to EEOC to assist it 
in fulfilling its duties to protect employees' rights, as required by 
statute and regulation.
    6. VA may disclose information from this system to FLRA, including 
its General Counsel, information related to the establishment of 
jurisdiction, investigation, and resolution of allegations of unfair 
labor practices, or in connection with the resolution of exceptions to 
arbitration awards when a question of material fact is raised; for it 
to address matters properly before the Federal Services Impasses Panel, 
investigate representation petitions, and conduct or supervise 
representation elections. VA must be able to provide information to 
FLRA to comply with the statutory mandate under which it operates.
    7. VA may disclose information from this system to the Merit 
Systems Protection Board, or the Office of the Special Counsel, when 
requested in connection with appeals, special studies of the civil 
service and other merit systems, review of rules and regulations, 
investigation of alleged or possible prohibited personnel practices, 
and such other functions promulgated in 5 U.S.C. 1205 and 1206, or as 
authorized by law. VA must be able to provide information to MSPB to 
assist it in fulfilling its duties as required by statute and 
regulation.
    8. VA may disclose information from this system to NARA and GSA in 
records management inspections conducted under title 44, U.S.C. NARA is 
responsible for archiving old records which are no longer actively used 
but may be appropriate for preservation, and for the physical 
maintenance of the Federal government's records. Disclosure to other 
Federal agencies may be made to assist such agencies in preventing and 
detecting possible fraud or abuse by individuals in their operations 
and programs.
    9. VA may disclose relevant information to: (1) A Federal agency or 
CC institutions and providers when VA refers a patient for hospital or 
nursing home care or medical services, or authorizes a patient to 
obtain non-VA medical services and the information is needed by the 
Federal agency or non-VA institution or provider to perform the 
services; or (2) a Federal agency or to a non-VA hospital (Federal, 
state, and local public or private) or other medical installation 
having hospital facilities, organ banks, blood banks, or similar 
institutions, medical schools or clinics, or other groups or 
individuals that have contracted or agreed to provide medical services 
or share the use of medical resources under the provisions of 38 U.S.C. 
513, 7409, 8111, or 8153, when treatment is rendered by VA under the 
terms of such contract or agreement or the issuance of an 
authorization, and the information is needed for purposes of medical 
treatment and/or follow-up, determining entitlement to a benefit, or 
for VA to effect recovery of the costs of the medical care.
    10. VA may disclose information in this system, to a Federal, 
state, or local agency maintaining civil or criminal violation records, 
or other pertinent information such as prior employment history, prior 
Federal employment background investigations, and/or personal or 
educational background in order for VA to obtain information relevant 
to the hiring, transfer or retention of an employee, the letting of a 
contract, the granting of a security clearance, or the issuance of a 
grant or other benefit.
    11. VA may disclose information from this system of records to a 
Federal agency or the District of Columbia government, in response to 
its request, in connection with the hiring or retention of an employee 
and the issuance of a security clearance as required by law, the 
reporting of an investigation of an employee, the issuance of a 
license, grant, or other benefit by the requesting agency, to the 
extent that the information is relevant and necessary to the requesting 
agency's decision.
    12. Any information in this system may be disclosed to a state or 
local agency, upon its official request, to the extent that it is 
relevant and necessary to that agency's decision on: The hiring, 
transfer or retention of an employee, the issuance of a security 
clearance, the letting of a contract, or the issuance or continuance of 
a license, grant or other benefit by the agency; provided, that the 
name and address is provided first by the requesting state or local 
agency.
    13. VA may disclose information concerning CC institutions and 
providers, including name, address, and social security or employer's 
taxpayer identification numbers, may be disclosed to the Department of 
the Treasury, Internal Revenue Service, to report calendar year 
earnings of $600 or more for income tax reporting purposes.
    14. VA may disclose information to the Department of the Treasury 
to facilitate payments to physicians, clinics, and pharmacies for 
reimbursement of services rendered, and to veterans for reimbursements 
of authorized expenses, or to collect, by set off or otherwise, debts 
owed the United States.
    15. VA may disclose any relevant information from this system of 
records to attorneys, insurance companies, employers, third parties 
liable or potentially liable under health plan contracts, and to 
courts, boards, or commissions, but only to the extent necessary to aid 
VA in the preparation, presentation, and prosecution of claims 
authorized under federal, state, or local laws, and regulations 
promulgated thereunder.
    16. VA may disclose identifying information in this system, 
including name, address, social security number, and other information 
as is reasonably necessary to identify such individual, to the National 
Practitioner Data Bank at the time of hiring and/or clinical 
privileging/re-privileging of health care practitioners, and other 
times as deemed necessary by VA, in order for VA to obtain information 
relevant to a Department decision concerning the hiring, privileging/
re-privileging, retention, or termination of the applicant or employee.
    17. VA may disclose relevant information from this system of 
records to the National Practitioner Data Bank and/or State Licensing 
Board in the state(s) in which a practitioner is licensed, in which the 
VA facility is located, and/or in which an act or omission occurred 
upon which a medical malpractice claim was based when VA reports 
information concerning: (1) Any payment for the benefit of a physician, 
dentist, or other licensed health care practitioner which was made as 
the result of a settlement or judgment of a claim of medical 
malpractice, if an appropriate determination is made in accordance with 
Department policy that payment was related to substandard care, 
professional incompetence, or professional misconduct on the part of 
the individual; (2) a final decision

[[Page 6984]]

which relates to possible incompetence or improper professional conduct 
that adversely affects the clinical privileges of a physician or 
dentist for a period longer than 30 days; or (3) the acceptance of the 
surrender of clinical privileges or any restriction of such privileges 
by a physician or dentist, either while under investigation by the 
health care entity relating to possible incompetence or improper 
professional conduct, or in return for not conducting such an 
investigation or proceeding. These records may also be disclosed as 
part of a computer matching program to accomplish these purposes.
    18. VA may disclose information from this system of records to a 
Federal agency or to a state or local government licensing board and/or 
to the Federation of State Medical Boards or a similar non-governmental 
entity which maintains records concerning individuals' employment 
histories or concerning the issuance, retention, or revocation of 
licenses, certifications, or registration necessary to practice an 
occupation, profession, or specialty, to inform a Federal agency or 
licensing boards or the appropriate non-governmental entities about the 
health care practices of a terminated, resigned, or retired health care 
employee whose professional health care activity so significantly 
failed to conform to generally accepted standards of professional 
medical practice as to raise reasonable concern for the health and 
safety of patients in the private sector or from another Federal 
agency. These records may also be disclosed as part of an ongoing 
computer matching program to accomplish these purposes.
    19. For program review purposes and the seeking of accreditation 
and/or certification, VA may disclose health care information to survey 
teams of the Joint Commission, College of American Pathologists, 
American Association of Blood Banks, and similar national accreditation 
agencies or boards with which VA has a contract or agreement to conduct 
such reviews, but only to the extent that the information is necessary 
and relevant to the review.
    20. VA may disclose information from this system to another Federal 
agency or Federal entity, when VA determines that information from this 
system of records is reasonably necessary to assist the recipient 
agency or entity in (1) responding to a suspected or confirmed breach 
or (2) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    21. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    22. VA may disclose information in this system which is relevant to 
a suspected or reasonably imminent violation of law, whether civil, 
criminal or regulatory in nature and whether arising by general or 
program statute or by regulation, rule or order issued pursuant 
thereto, to a Federal, state, local, tribal, or foreign agency charged 
with the responsibility of investigating or prosecuting such violation, 
or charged with enforcing or implementing the statute, regulation, rule 
or order. VA may also disclose the names and addresses of providers to 
a Federal agency charged with the responsibility of investigating or 
prosecuting civil, criminal or regulatory violations of law, or charged 
with enforcing or implementing the statute, regulation, rule or order 
issued pursuant thereto.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    PPMS is a repository hosted on the Microsoft Azure Government (MAG) 
Cloud for provider records which are received electronically from the 
CCNs. The CCNs collect the provider data, including the date of birth 
and tax identification number/social security number, directly from the 
provider and stores it in a mechanism outside of VA. The records are 
electronically transmitted from the CCN to VA using secure integrated 
web services where they are stored in PPMS behind the VA firewall.
    A second source of provider data are the CC Managers, MSA, PSA, RN, 
and Social Workers (GEC) at a local VA facility, who have taken the 
PPMS training, communicate directly with non-VA care providers and set 
up the provider in PPMS so they may be used in referrals for Veteran 
care. They will enter the data, including the date of birth and tax 
identification number/social security number, into PPMS which is behind 
the VA firewall. The date of birth and tax identification number/social 
security number information is a field in PPMS and is an attribute of 
the providers' profile level of data.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    For users internal to VA, electronic records are retrieved via the 
PPMS Customer Relationship Management (CRM) Tool interface using the 
Provider's name or NPI number. Only approved VA employees whom are 
provisioned with PPMS access are authorized to access records. Records 
are retrieved by name, speciality, date of birth, tax identification 
number/social security number, or other assigned identifiers of the 
individuals on whom they are maintained.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Record Control Schedule (RCS) 10-1 item 1150 Office of Quality and 
Performance 1150.1. Health Care Provider Credentialing and Privileging 
Records. Electronic Files. Electronic version of information entered 
directly into the electronic credentialing and privileging record 
information system. Temporary; delete 30 years after the last episode 
of employment, appointment, contract, etc. from VA. (N1-015-10-07, Item 
1)

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    1. PPMS is a customized Microsoft Dynamics 365 solution deployed on 
a FedRAMP Accredited Microsoft Dynamics CRM Online for Government 
(CRMOL) Cloud Platform. Microsoft Dynamics 365 includes several 
security features that provide PPMS administrators with the ability to 
implement a variety of administrative and technical safeguards which 
include:
    --Account management using Microsoft Active Directory to centrally 
manage user accounts
    --User authorization through two-factor, single sign-on, 
authentication
    --Access control using role-based access control
    --Data protection through encrypting of data-at-rest
    --Auditing of user access and changes to PPMS data
    Additional physical security safeguards are also implemented within 
the Microsoft Azure Data Center on which PPMS is deployed. Microsoft 
Azure maintains overall responsibility for the oversight of data center 
operations including physical security, site services (server 
deployments and break/fix work), infrastructure build-out, critical 
environment operations and maintenance, and facilities management. Data 
Center site security officers monitor the physical security of the 
facility 24 x 7.
    2. The PPMS system is hosted in MAG Cloud infrastructure as a 
service cloud-computing environment that has been authorized at the 
high-impact level under the Federal Risk and Authorization Management 
Program (FedRAMP). The secure site-to-site

[[Page 6985]]

encrypted network connection is limited to access via the VA Trusted 
internet Connection.
    3. Access to PPMS is provisioned by a Service Now ticket routed to 
the PPMS Operations & Maintenance (O&M) team who grants access based on 
proven PPMS training completion by the individual requesting access. 
Access is monitored by O&M on a weekly basis due to limited number of 
licenses purchased for the CRM product.

RECORD ACCESS PROCEDURES:
    An individual who seeks access to records maintained under his or 
her name in this system may submit a written request to VHA Office of 
Community Care, (Privacy Office) P.O. Box 469060, Denver, Colorado 
80246-9060, or apply in person to the VHA Office of Community Care, 
3773 Cherry Creek North Drive, Suite 470, Denver, Colorado 80209.

CONTESTING RECORD PROCEDURES:
    (See Record Access Procedures above.)

NOTIFICATION PROCEDURES:
    Any individual who wishes to determine whether a record is being 
maintained in this system under his or her name or other personal 
identifier, or wants to determine the contents of such record, should 
submit a written request to VHA Office of Community Care, (Privacy 
Office), P.O. Box 469060, Denver, Colorado 80246-9060, or apply in 
person to the VHA Office of Community Care, 3773 Cherry Creek North 
Drive, Suite 470, Denver, Colorado 80209.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    None.

[FR Doc. 2021-01510 Filed 1-22-21; 8:45 am]
BILLING CODE 8320-01-P