Privacy Act of 1974; System of Records, 33015-33019 [2021-13141]

Agencies

• DEPARTMENT OF VETERANS AFFAIRS

[Federal Register Volume 86, Number 118 (Wednesday, June 23, 2021)]
[Notices]
[Pages 33015-33019]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-13141]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA), Veterans Health 
Administration (VHA).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: As required by the Privacy Act of 1974, notice is hereby given 
that the Department of Veterans Affairs (VA) is amending the system of 
records entitled, ``Veteran, Patient, Employee, and Volunteer Research 
and Development Project Records--VA'' (34VA12) as set forth in the 
Federal Register. VA is amending the system of records by revising the 
System Number; System Manager; Purpose of the System; Categories of 
Individuals Covered by the System; Categories of Records in the System; 
Record Source Categories; Routine Uses of Records Maintained in the 
System; Policies and Practices for Storage of Records; Policies and 
Practices for Retention and Disposal of Records; Physical, Procedural 
and Administrative Safeguards; Record Access Procedure; and 
Notification Procedure. VA is republishing the system notice in its 
entirety.

DATES: Comments on this amended system of records must be received no 
later than July 23, 2021. If no public comment is received during the 
period allowed for comment or unless otherwise published in the Federal 
Register by the VA, the modified system of records will become 
effective a minimum of 30 days after date of publication in the Federal 
Register. If VA receives public comments, VA shall review the comments 
to determine whether any changes to the notice are necessary.

ADDRESSES: Comments may be submitted through www.Regulations.gov or 
mailed to VA Privacy Service, 810 Vermont Avenue NW, (005R1A), 
Washington, DC 20420. Comments should indicate that they are submitted 
in response to ``Veteran, Patient, Employee, and Volunteer Research and 
Development Project Records--VA'' (34VA12). Comments received will be 
available at regulations.gov for public viewing, inspection or copies.

FOR FURTHER INFORMATION CONTACT: Stephania Griffin, Veterans Health 
Administration (VHA) Privacy Officer, Department of Veterans Affairs, 
810 Vermont Avenue NW, Washington, DC 20420; telephone (704) 245-2492 
(Note: not a toll-free number).

SUPPLEMENTARY INFORMATION: The System Number is being updated from 
34VA12 to 34VA10 to reflect the current VHA organizational routing 
symbol.
    The System Manager and Notification Procedure are being updated to 
replace, ``Director of Operations Research and Development (12)'' with 
Director of Office of Research Protections, Policy and Education, 
Office of Research and Development, Telephone number (202) 443-5681 
(Note: this is not a toll-free number).
    The Purpose is being amended to include that records may also be 
used for data analysis in order to answer a specific question and 
obtain generalizable knowledge and increased understanding of a topic 
or issue.
    Categories of Individuals Covered by the System is being amended to 
include volunteers as a caregiver, non-patient/non-Veterans, and VA 
research subjects.
    Categories of Records in the System is being amended to remove 
research support related to the invention. This section will include 
item 13) a contracted research review system. This section will also 
include other research information management system reports contain 
compliance information involving research projects conduct, support and 
oversight.
    The Record Source Categories is being amended to include 
Information technology (IT) systems or databases and non-subjects.
    The Routine Uses of Records Maintained in the System is being 
amended to remove scrambled Social Security number in Routine uses #2 
and #5.
    The language in Routine Use #14 is being updated. It previously 
stated that disclosure of the records to the Department of Justice 
(DoJ) is a use of the information contained in the records that is 
compatible with the purpose for which VA collected the records. VA may 
disclose records in this system of records in legal proceedings before 
a court or administrative body after determining that the disclosure of 
the records to the court or administrative body is a use of the 
information contained in the records that is compatible with the 
purpose for which VA collected the records. This routine use will now 
state that VA may disclose information to the Department of Justice 
(DoJ), or in a proceeding before a court, adjudicative body, or other 
administrative body before which VA is authorized to appear, when:
    (a) VA or any component thereof;
    (b) Any VA employee in his or her official capacity;

[[Page 33016]]

    (c) Any VA employee in his or her official capacity where DoJ has 
agreed to represent the employee; or
    (d) The United States, where VA determines that litigation is 
likely to affect the agency or any of its components,

is a party to such proceedings or has an interest in such proceedings, 
and VA determines that use of such records is relevant and necessary to 
the proceedings, provided, however, that in each case VA determines the 
disclosure is compatible with the purpose for which the records were 
collected. If the disclosure is in response to a subpoena, summons, 
investigative demand, or similar legal process, the request must meet 
the requirements for a qualifying law enforcement request under the 
Privacy Act, 5 U.S.C. 552a(b)(7), or an order from a court of competent 
jurisdiction under 552a(b)(11).
    Routine Use #18 has been updated by clarifying the language to 
state, ``VA may disclose any information or records to appropriate 
agencies, entities, and persons when (1) VA suspects or has confirmed 
that there has been a breach of the system of records; (2) VA has 
determined that as a result of the suspected or confirmed breach there 
is a risk to individuals, VA (including its information systems, 
programs, and operations), the Federal Government, or national 
security; and (3) the disclosure made to such agencies, entities, or 
persons is reasonably necessary to assist in connection with VA efforts 
to respond to the suspected or confirmed breach or to prevent, 
minimize, or remedy such harm.''
    Routine use #20 is being added to state, ``VA may disclose 
information from this system of records to another Federal agency or 
Federal entity, when VA determines that information from this system of 
records is reasonably necessary to assist the recipient agency or 
entity in (1) responding to a suspected or confirmed breach or (2) 
preventing, minimizing, or remedying the risk of harm to individuals, 
the recipient agency or entity (including its information systems, 
programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.''
    Policies and Practices for Storage of Records is being updated to 
include (6) Web based cloud storage systems and (7) Recordings (audio 
and video).
    Policies and Practices for Retention and Disposal of Records is 
being updated to remove ``records contained in this system have not 
been categorized in a record control schedule (RCS), will be kept 
indefinitely until such time as they are. The records may not be 
destroyed until VA obtains an approved records disposition authority 
from the Archivist of the United States.'' This section is updated to 
state that Records are scheduled in accordance with RCS 10-1, 8300.6, 
temporary disposition; cutoff at the end of the fiscal year after 
completion of the research project. Destroy six (6) years after cutoff. 
May retain longer if required by other Federal regulations or the 
European General Data Protection regulations.
    The Physical, Procedural and Administrative Safeguards section is 
being updated to state that access to automated information systems are 
protected by an approved form of two factor authentication and 
communications are encrypted at rest and in transit.
    The Record Access Procedure is being amended to include research 
project submissions or participation in research projects may visit the 
VA location where the records were initially generated.
    The Report of Intent to Amend a System of Records Notice and an 
advance copy of the system notice have been sent to the appropriate 
Congressional committees and to the Director of the Office of 
Management and Budget (OMB) as required by the Privacy Act and 
guidelines issued by OMB, December 12, 2000.

Signing Authority

    The Senior Agency Official for Privacy, or designee, approved this 
document and authorized the undersigned to sign and submit the document 
to the Office of the Federal Register for publication electronically as 
an official document of the Department of Veterans Affairs. Dominic A. 
Cussatt, Acting Assistant Secretary of Information and Technology and 
Chief Information Officer, approved this document on May 14, 2021 for 
publication.

    Dated: June 17, 2021.
Amy L. Rose,
Program Analyst, VA Privacy Service, Office of Information Security, 
Office of Information and Technology, Department of Veterans Affairs.

SYSTEM NAME AND NUMBER:
    Veteran, Patient, Employee, and Volunteer Research and Development 
Project Records--VA (34VA10).

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Records are maintained at each VA health care facility where the 
research project was conducted, at VA facilities where research 
administration or oversight activities occur, and at VA Central Office 
(VACO). Address locations are listed in VA Appendix 1 of the biennial 
Privacy Act Issuance publication. In addition, records are maintained 
at contractor and fieldwork sites as studies are developed, data 
collected, and reports written. A list of locations where individually 
identifiable data is currently located is available from the System 
Manager.

SYSTEM MANAGER(S):
    Dr. Molly Klote, Director of Office of Research Protections, Policy 
and Education, Office of Research and Development, Department of 
Veterans Affairs, 810 Vermont Ave. NW, Washington, DC 20420. Telephone 
number (202) 443-5681 (Note: this is not a toll-free number).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 38, United States Code, Section 7301.

PURPOSE(S) OF THE SYSTEM:
    The records and information may be used to determine eligibility 
for research funding, to determine handling of intellectual properties, 
to manage proposed and/or approved research endeavors, and to evaluate 
the research and development program. The records may also be used for 
data analysis in order to answer a specific question and obtain 
generalizable knowledge and increased understanding of a topic or 
issue.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The following categories of individuals will be covered by this 
system: (1) Veterans; (2) patients; (3) employees; (4) volunteers 
(e.g., caregivers, non-patient/non-Veterans, VA research subjects) in 
research projects being performed by VA, by a VA contractor or by 
another Federal agency in conjunction with VA; (5) members of research 
committee or subcommittees; and (6) research and development 
investigators and research and development employees.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Records, or information contained in records, vary according to the 
specific research involved or research related activity involved and 
may include: (1) Research on biomedical, prosthetic and health care 
services; (2) research stressing spinal cord injuries and diseases and 
other disabilities that tend to result in paralysis of the lower 
extremities; and (3) morbidity and mortality studies on former 
prisoners of

[[Page 33017]]

war; (4) research related to injuries sustained while on active duty 
military service such as traumatic amputations, traumatic brain injury, 
and burns; (5) electronic or other databases containing research 
information developed during a research project(s) or for future 
research; (6) research information management systems such as the 
Research and Development Information System (RDIS); (7) copies of 
medical records of research participants; (8) merit review of the 
research projects; (9) review and evaluation of proposed research; (10) 
continuing review and oversight of ongoing research; (11) evaluations 
performed by research committees; (12) a review and evaluation of the 
research and development investigators and of the participants in the 
program; and (13) a contracted research review system. The review and 
evaluation information concerning the research and development 
investigators may include personal and educational background 
information as well as specific information concerning the type of 
research conducted. Invention records contain: A certification page, 
describing the place, time, research support related to the invention 
and co-inventors; Technology Transfer Program Invention Evaluation 
Sheet Internal or External Invention Assessment reports; Research and 
Development Information System (RDIS) reports or other research 
information management system reports contain compliance information 
involving research projects conduct, support and oversight; 
Correspondence; and the Office of General Counsel Letter of 
Determination.

RECORD SOURCE CATEGORIES:
    (1) Patients and patient records, (2) employees and volunteers, (3) 
other Federal agencies, (4) National Institutes of Health, (5) Centers 
for Disease Control (Atlanta, Georgia), (6) individual Veterans, (7) 
other VA systems of records and IT systems or databases, (8) research 
and development investigators, (9) research and development databases, 
and (10) non-subjects.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    To the extent that records contained in the system include 
information protected by 45 CFR parts 160 and 164, i.e., individually-
identifiable health information, and 38 U.S.C. 7332; i.e., medical 
treatment information related to drug abuse, alcoholism or alcohol 
abuse, sickle cell anemia or infection with the human immunodeficiency 
virus, that information cannot be disclosed under a routine use unless 
there is also specific statutory authority in 38 U.S.C. 7332 and 
regulatory authority in 45 CFR parts 160 and 164 permitting disclosure.
    1. Transfer of statistical and other data to Federal, State, and 
local government agencies and national health organizations to assist 
in the development of programs.
    2. VA may disclose any information in this system, except the 
names, home addresses, and Social Security number of Veterans and their 
dependents, which is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal or regulatory in nature and 
whether arising by general or program statute or by regulation, rule or 
order issued pursuant thereto, to a Federal, State, local, tribal, or 
foreign agency charged with the responsibility of investigating or 
prosecuting such violation, or charged with enforcing or implementing 
the statute, regulation, rule or order. VA may also disclose the names 
and Social Security number addresses of Veterans and their dependents 
to a Federal agency charged with the responsibility of investigating or 
prosecuting civil, criminal or regulatory violations of law, or charged 
with enforcing or implementing the statute, regulation, rule or order 
issued pursuant thereto unless a Certificate of Confidentiality has 
been issued for the research by the National Institutes of Health under 
section 301(d) of the Public Health Service Act (42 U.S.C. 241(d)).
    3. VA may disclose information to a Member of Congress or staff 
acting upon the Member's behalf when the Member or staff requests the 
information on behalf of, and at the request of, the individual who is 
the subject of the record.
    4. VA may disclose information to National Archives and Records 
Administration (NARA) in records management inspections conducted under 
44 U.S.C. 2904 and 2906, or other functions authorized by laws and 
policies governing NARA operations and VA records management 
responsibilities.
    5. VA may disclose information from this system to epidemiological 
and other research facilities approved by the Under Secretary for 
Health for research purposes determined to be necessary and proper, 
provided that the names and addresses of Veterans and their dependents 
will not be disclosed unless those names and addresses are first 
provided to VA by the facilities making the request.
    6. VA may disclose the names and address (of present or former 
members of the armed services or their beneficiaries: (1) To a 
nonprofit organization if the release is directly connected with the 
conduct of programs and the utilization of benefits under Title 38, and 
(2) to any criminal or civil law enforcement governmental agency or 
instrumentality charged under applicable law with the protection of the 
public health or safety, if a qualified representative of such 
organization, agency, or instrumentality has made a written request 
that such names or addresses be provided for a purpose authorized by 
law; provided that the records will not be used for any purpose other 
than that stated in the request and that organization, agency, or 
instrumentality is aware of the penalty provision of 38 U.S.C. 5701(f).
    7. In order to conduct VA research, names, addresses, and Social 
Security numbers may be disclosed to other Federal and state agencies 
for the purpose of the Federal or state agency disclosing information 
on the individuals back to VA.
    8. Upon request for research project data from VA approved 
research, the following information will be released to the general 
public, including governmental and non-governmental agencies and 
commercial organizations: Project title and number; name and 
educational degree of principal investigator unless the release of this 
information would place the investigator at risk (physical, 
professional, etc.); VHA medical center location; type (initial, 
progress, or final) and date of last report; name and educational 
degree of associate investigators unless the release of this 
information would place the investigator at risk (physical, 
professional, etc.); project abstract if the project is ongoing, and 
project summary if the project has been completed. In addition, upon 
specific request, keywords and indexing codes will be included for each 
project.
    9. Upon request for information regarding VA employees conducting 
research, the following information will be released to the general 
public, including governmental agencies and commercial organizations: 
Name and educational degree of investigator; VHA title; academic 
affiliation and title; hospital service; primary and secondary 
specialty areas and subspecialty unless the release of this information 
would place the investigator at risk (physical, professional, etc.)
    10. VA may disclose information to a Federal agency, a state or 
local government licensing board, the Federation of State Medical 
Boards, or a similar non-governmental entity that

[[Page 33018]]

maintains records concerning individuals' employment histories or 
concerning the issuance, retention, or revocation of licenses, 
certifications, or registration necessary to practice an occupation, 
profession, or specialty, to inform such non-governmental entities 
about the health care practices of a terminated, resigned, or retired 
health care employee whose professional health care activity so 
significantly failed to conform to generally accepted standards of 
professional medical practice as to raise reasonable concern for the 
health and safety of patients in the private sector or from another 
Federal Agency. These records may also be disclosed as part of an 
ongoing computer matching program to accomplish these purposes.
    11. VA may disclose information to the National Practitioner Data 
Bank at the time of hiring or clinical privileging/re-privileging of 
health care practitioners, and other times as deemed necessary by VA, 
in order for VA to obtain information relevant to a Department decision 
concerning the hiring, privileging/re-privileging, retention, or 
termination of the applicant or employee.
    12. VA may disclose information to the National Practitioner Data 
Bank or a State Licensing Board in the state in which a practitioner is 
licensed, in which the VA facility is located, or in which an act or 
omission occurred upon which a medical malpractice claim was based when 
VA reports information concerning: (1) Any payment for the benefit of a 
physician, dentist, or other licensed health care practitioner that was 
made as the result of a settlement or judgment of a claim of medical 
malpractice, if an appropriate determination is made in accordance with 
Department policy that payment was related to substandard care, 
professional incompetence, or professional misconduct on the part of 
the individual; (2) a final decision that relates to possible 
incompetence or improper professional conduct that adversely affects 
the clinical privileges of a physician or dentist for a period longer 
than 30 days; or (3) the acceptance of the surrender of clinical 
privileges or any restriction of such privileges by a physician or 
dentist, either while under investigation by the health care entity 
relating to possible incompetence or improper professional conduct, or 
in return for not conducting such an investigation or proceeding. These 
records may also be disclosed as part of a computer matching program to 
accomplish these purposes.
    13. Information concerning individuals who have submitted research 
program proposals for funding, including the investigator's name, 
Social Security number, research qualifications and the investigator's 
research proposal, may be disclosed to qualified reviewers for their 
opinion and evaluation of the applicants and their proposals as part of 
the application review process.
    14. VA may disclose information to the Department of Justice (DoJ), 
or in a proceeding before a court, adjudicative body, or other 
administrative body before which VA is authorized to appear, when:
    (e) VA or any component thereof;
    (f) Any VA employee in his or her official capacity;
    (g) Any VA employee in his or her official capacity where DoJ has 
agreed to represent the employee; or
    (h) The United States, where VA determines that litigation is 
likely to affect the agency or any of its components,
    is a party to such proceedings or has an interest in such 
proceedings, and VA determines that use of such records is relevant and 
necessary to the proceedings, provided, however, that in each case VA 
determines the disclosure is compatible with the purpose for which the 
records were collected. If the disclosure is in response to a subpoena, 
summons, investigative demand, or similar legal process, the request 
must meet the requirements for a qualifying law enforcement request 
under the Privacy Act, 5 U.S.C. 552a(b)(7), or an order from a court of 
competent jurisdiction under 552a(b)(11).
    15. Any invention information in this system may be disclosed to 
affiliated intellectual property partners to aid in the possible use, 
interest in, or ownership rights in VA intellectual property.
    16. VA may disclose information concerning merit review of 
proposals submitted by an individual to the individual except that 
information concerning a third party, such as the name or other 
identifying information about the qualified reviewer of the proposal.
    17. VA may disclose to other Federal agencies to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    18. VA may disclose any information or records to appropriate 
agencies, entities, and persons when: (1) VA suspects or has confirmed 
that there has been a breach of the system of records; (2) VA has 
determined that as a result of the suspected or confirmed breach there 
is a risk to individuals, VA (including its information systems, 
programs, and operations), the Federal Government, or national 
security; and (3) the disclosure made to such agencies, entities, or 
persons is reasonably necessary to assist in connection with VA efforts 
to respond to the suspected or confirmed breach or to prevent, 
minimize, or remedy such harm.
    19. VA may disclose information to contractors, grantees, experts, 
consultants, students, and others performing or working on a contract, 
service, grant, cooperative agreement, or other assignment for VA, when 
reasonably necessary to accomplish an agency function related to the 
records.
    20. VA may disclose information from this system to another Federal 
agency or Federal entity, when VA determines that information from this 
system of records is reasonably necessary to assist the recipient 
agency or entity in (1) responding to a suspected or confirmed breach 
or (2) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.

DISCLOSUE TO CONSUMER REPORTING AGENCIES:
    Reports of all transactions dealing with data will be used within 
VA and will not be provided to any consumer-reporting agency.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    (1) Paper documents, (2) microscope slides, (3) magnetic tape or 
disk or other electronic media, (4) photographs, (5) microfilm, (6) web 
based cloud storage systems, and (7) recordings (audio and video).

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are retrieved by individual identifiers and indexed by a 
specific project site or location, project number, or under the name of 
the research or development investigator.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records are scheduled in accordance with RCS 10-1, 8300.6, 
temporary disposition; cutoff at the end of the fiscal year after 
completion of the research project. Destroy six (6) years after cutoff. 
May retain longer if required by other Federal regulations or the 
European General Data Protection regulations. (DAA-0015-2015-0004, item 
0032)

[[Page 33019]]

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    This list of safeguards furnished in this System of Record is not 
an exclusive list of measures that has been, or will be, taken to 
protect individually identifiable information. VHA will maintain the 
data in compliance with applicable VA security policy directives that 
specify the standards that will be applied to protect sensitive 
personal information. Physical Security: Access to VA working space and 
medical record storage areas is restricted to VA employees on a ``need 
to know'' basis.
    Generally, VA file areas are locked after normal duty hours and 
protected from outside access by the Federal Protective Service. 
Employee file records and file records of public figures or otherwise 
sensitive medical record files are stored in separate locked files. 
Access to automated information systems are protected by an approved 
form of two factor authentication and communications are encrypted at 
rest and in transit. Strict control measures are enforced to ensure 
that disclosure is limited to a ``need to know'' basis.
    Access to a contractor's records and their system of computers used 
with the particular project are available to authorized personnel only. 
Records on investigators stored on automated storage media are 
accessible by authorized VA personnel via VA computers or computer 
systems. They are required to take annual VA mandatory data privacy and 
security training. Security complies with applicable Federal 
Information Processing Standards (FIPS) issued by the National 
Institute of Standards and Technology (NIST). Contractors and their 
subcontractors who access the data are required to maintain the same 
level of security as VA staff.

RECORD ACCESS PROCEDURE:
    Individuals seeking information regarding access to and contesting 
of records in this system related to research project submissions or 
participation in research projects may write, call or visit the VA 
location where the records were initially generated.

CONTESTING RECORD PROCEDURES:
    (See Record Access Procedures above.)

NOTIFICATION PROCEDURE:
    Interested persons should write to: Director of Office of Research 
Protections, Policy and Education, Office of Research and Development, 
Department of Veterans Affairs, 810 Vermont Ave. NW, Washington, DC 
20420. All inquiries must reasonably identify the project and site 
location; date of project and team leader.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    Last full publication provided in 75 FR 29818.

[FR Doc. 2021-13141 Filed 6-22-21; 8:45 am]
BILLING CODE P