Privacy Act of 1974; System of Records, 25074-25077 [2023-08710]

Agencies

• DEPARTMENT OF VETERANS AFFAIRS

[Federal Register Volume 88, Number 79 (Tuesday, April 25, 2023)]
[Notices]
[Pages 25074-25077]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-08710]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Veterans Health Administration (VHA), Department of Veterans 
Affairs (VA).

ACTION: Notice of modified system of records.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the Privacy Act of 1974, notice is hereby given 
that the VA is modifying the system of records entitled ``Disaster 
Emergency Medical Personnel System (DEMPS)-VA'' (98VA104). This system 
is used to provide information on sufficient health care medical 
support personnel to respond to disasters, to provide information to 
the VHA Office of Emergency Management (OEM) primarily during national, 
regional, or local emergencies caused by catastrophic events, and to 
respond to internal emergencies occurring within the Veterans 
Integrated Service Networks (VISN) requiring support to VHA facilities 
or National Disaster Frameworks, Emergency Support Function 8 (ESF 8) 
assistance to Federal, State, local, Territorial, or Tribal (SLTT) 
partners.

DATES: Comments on this modified system of records must be received no 
later than 30 days after date of publication in the Federal Register. 
If no public comment is received during the period allowed for comment 
or unless otherwise published in the Federal Register by VA, the 
modified system of records will become effective a minimum of 30 days 
after date of publication in the Federal Register. If VA receives 
public comments, VA shall review the comments to determine whether any 
changes to the notice are necessary.

ADDRESSES: Comments may be submitted through www.Regulations.gov or 
mailed to VA Privacy Service, 810 Vermont Avenue NW, (005R1A), 
Washington, DC 20420. Comments should indicate that they are submitted 
in response to ``Disaster Emergency Medical Personnel System (DEMPS)-
VA'' (98VA104). Comments received will be available at regulations.gov 
for public viewing, inspection or copies.

FOR FURTHER INFORMATION CONTACT: Stephania Griffin, Veterans Health 
Administration Chief Privacy Officer, Department of Veterans Affairs, 
810 Vermont Avenue NW, Washington, DC 20420, [email protected], 
telephone number 704-245-2492 (Note: This is not a toll-free number).

SUPPLEMENTARY INFORMATION: VA is modifying the system by revising the 
System Name, System Number, System Location; System Manager; Purpose; 
Categories of Individuals Covered by the System; Categories of Records 
in the System; Records Source Categories; Routine Uses of Records 
Maintained in the System; Policies and Practices for Retention and 
Disposal of Records; and Physical, Procedural and Administrative 
Safeguards.
    The System Name will be changed from ``Disaster Emergency Medical 
Personnel System (DEMPS)-VA'' to ``Performance Improvement Management 
System (PIMS), Deployment Management System (DMS)-VA''.
    The System Number will be changed from 98VA104 to 98VA10 to reflect 
the current VHA organizational routing symbol.
    The System Location is being updated to remove verbiage indicating 
that records are maintained at each of the VA health care facilities. 
The address locations for VA facilities were listed in VA Appendix I of 
the biennial publication of the VA systems of record. Information from 
these records or copies of records may be maintained at the Department 
of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420; 
Network Directors' Offices; Emergency Management Strategic Healthcare 
Group Headquarters, VA Medical Center, Martinsburg, WV 25401; or with 
the Area Emergency Managers located at VA facilities. This section will 
now reflect the following: Records are maintained within the DMS/PIMS 
infrastructure and database. PIMS is a web-based system developed and 
hosted under contract with the Oak Ridge Associated Universities 
(ORAU). ORAU's cognizant government contracting office is the U.S. 
Department of Energy (DOE), Oak Ridge National Laboratory Site Office. 
PIMS is hosted on a Windows stack (Web and Structured Query Language 
server); all tiers of the PIMS application stack are hosted in a 
virtual hosting environment by ORAU in their data center in Oak Ridge, 
Tennessee.
    The System Manager is being updated to replace Director, Emergency 
Management Strategic Healthcare Group (EMSHG (13C)), with Executive 
Director, VHA OEM.
    The Purpose is being updated to revise verbiage indicating that 
records are used for the Emergency Management Strategic Healthcare 
Group primarily in times of national emergencies caused by catastrophic 
events, and to respond to internal emergencies occurring within the 
VISNs. This section will now reflect the following: Provide information 
to VHA OEM primarily in times of national, regional, or local 
emergencies requiring support to VHA facilities or National Disaster 
Frameworks, Emergency Support Function 8 (ESF 8) assistance to Federal, 
SLTT partners.
    Categories of Individuals Covered by the System is being updated to 
remove terrorist attacks, and the employment of nuclear, biological, 
and chemical weapons of mass destruction. This section will include 
supporting staff, man-made hazards, and other positions required for 
hospital and health care operations.
    Categories of Records in the System is being updated to remove: 
Information is provided on a voluntary basis. This section will include 
supporting staff, and mission assignments from other Federal 
departments and agencies. Information such as name, professional title, 
credentialing, home station, professional specialty, job position 
title.
    Records Source Categories is being updated to include: the Light 
Electronic Action Framework (LEAF) system is used to provide 
credentialing and privileging of health care providers and personnel.
    Policies and Practices for Retention and Disposal of Records is 
being updated to include VHA Records Control Schedule 10-1, Item Number 
1270.1.
    The following routine use #4 is being updated to include Clinical 
Deployment Team, Telehealth Emergency Management, or other VHA 
personnel.
    The following routine use #10 is being removed: Information may be 
disclosed to a State or local government entity or national certifying 
body that has the authority to make decisions concerning the issuance, 
retention or revocation of licenses.
    The following routine use is now being replaced as #10: Data Breach 
Response and Remediation, for Another Federal Agency: To another 
Federal agency or Federal entity, when VA determines that information 
from this system of records is reasonably necessary to assist the 
recipient agency or entity in (1) responding to a suspected or 
confirmed breach or (2) preventing, minimizing, or remedying the risk 
of harm to individuals, the recipient agency or entity (including its 
information systems, programs, and

[[Page 25075]]

operations), the Federal Government, or national security, resulting 
from a suspected or confirmed breach.
    Physical, Procedural and Administrative Safeguards is being updated 
to include VA Police Service. Number 2 will remove: Access to the 
Veterans Health Information Systems Technology Architecture (VistA) 
computer room within the health care facilities is generally limited by 
appropriate security devices and restricted to authorized VA employees 
and vendor personnel. Automatic Data Processing (ADP) peripheral 
devices are generally placed in secure areas (areas that are locked or 
have limited access) or are otherwise protected. Authorized VA 
employees may access information in the VistA system. Access to file 
information is controlled at two levels: The system recognizes 
authorized employees by a series of individually unique passwords/codes 
as a part of each data message, and the employees are limited to only 
that information in the file which is needed in the performance of 
their official duties. This section will now reflect the following: All 
tiers of the VHA PIMS application stack are hosted in a highly 
available, resilient, and redundant virtual hosting environment. The 
internet connection is provided through the Department of Energy's 
Energy Science Network (ES.NET), managed by ORAU under a DOE Authority 
to Operate (ATO). As part of the ATO, VHA PIMS has been built in 
accordance with applicable Federal Information Security Management Act 
and National Institute of Standards and Technology (NIST) security and 
privacy control requirements for Federal information systems with 
implementation of all baseline security controls commensurate with the 
Federal Information Processing Standard 199 system security 
categorization. ORAU handles data in PIMS in accordance with the 
appropriate NIST classification.

Signing Authority

    The Senior Agency Official for Privacy, or designee, approved this 
document and authorized the undersigned to sign and submit the document 
to the Office of the Federal Register for publication electronically as 
an official document of the Department of Veterans Affairs. Kurt D. 
DelBene, Assistant Secretary for Information and Technology and Chief 
Information Officer, approved this document on March 18, 2023 for 
publication.

    Dated: April 20, 2023.
Amy L. Rose,
Program Analyst, VA Privacy Service, Office of Information Security, 
Office of Information and Technology, Department of Veterans Affairs.

SYSTEM NAME AND NUMBER:
    Performance Improvement Management System (PIMS), Deployment 
Management System (DMS)-VA (98VA10).

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Records are maintained within the DMS/PIMS infrastructure and 
database. PIMS is a web-based system developed and hosted under 
contract with the Oak Ridge Associated Universities (ORAU). ORAU's 
cognizant government contracting office is the U.S. Department of 
Energy (DOE), Oak Ridge National Laboratory Site Office. PIMS is hosted 
on a Windows stack (Web and Structured Query Language server); all 
tiers of the PIMS application stack are hosted in a virtual hosting 
environment by ORAU in their data center in Oak Ridge, Tennessee.

SYSTEM MANAGER(S):
    Official responsible for maintaining the system: Executive 
Director, Veterans Health Administration (VHA) Office of Emergency 
Management (OEM), VA Medical Center, Martinsburg, West Virginia, 25405. 
Telephone number 304-264-4827 (Note: This is not a toll-free number).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Authority for maintenance of this system of records is Executive 
Order 12656 dated November 18, 1988.

PURPOSE(S) OF THE SYSTEM:
    The records may be used for such purpose as to provide information 
on sufficient health care medical and support personnel to respond to 
disasters, to provide information to VHA OEM primarily in times of 
national, regional, or local emergencies requiring support to VHA 
facilities or National Disaster Frameworks, Emergency Support Function 
8 (ESF 8) assistance to Federal, State, Local, Territorial, or Tribal 
(SLTT) partners.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    These records include information on VA employees who make 
application to VA and are considered for deployment as health care 
providers and supporting staff, primarily in times of national, 
regional, or local emergencies in response to domestic disasters 
resulting from natural, technological, or man-made hazards. These 
individuals may include audiologists, dentists, dietitians, expanded-
function dental auxiliaries, licensed practical vocational nurses, 
nuclear medicine technologists, nurse anesthetists, nurse 
practitioners, nurses, occupational therapists, optometrists, clinical 
pharmacists, licensed physical therapists, physician assistants, 
physicians, podiatrists, psychologists, registered respiratory 
therapists, certified respiratory therapy technicians, diagnostic and 
therapeutic radiology technologists, social workers, speech 
pathologists, contracting specialists, building maintenance, 
engineering, housekeeping, other positions required for hospital and 
health care operations and other personnel associated with emergency 
management.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records may include information on VA employees who make 
application to be deployed as health care providers and supporting 
staff primarily in times of national, regional, or local emergencies. 
This source document provides personal and demographic information, 
such as name, professional title, credentialing, home station, 
professional specialty, job position title, initiated, provided, and 
authenticated by the employee and contains the necessary approvals and 
signatures of officials in the supervisory chain for the employee's 
inclusion in the database. Information related to identifying and 
selecting by VHA OEM, Veterans Integrated Services Networks (VISN) and 
VA medical facility personnel eligible to support specific job taskings 
and assignments during disasters internal to the VHA health care system 
or external to VHA for which the VA is tasked to provide support under 
applicable authorities. Requests for issuance of travel orders and 
necessary reimbursement to VA for subsequent allocation of funds to 
home stations of deployed personnel are required to cover costs of 
travel, overtime and other expenses associated with individual 
deployments. This information is necessary to account for personnel 
deployed in support of disasters, to identify personnel with specific 
job skills and experience that may be required to support contingency 
missions tasked to VA under the VA/Department of Defense Contingency 
Plan or mission assignments from other Federal departments and 
agencies, and for the development of plans at the enterprise, network, 
and medical center level for utilization of VHA personnel in

[[Page 25076]]

support of disasters internal and external to VA.

RECORD SOURCE CATEGORIES:
    The information will be provided by the individual VA employee and 
the VA medical facility (assigned facility) or other VA location at 
which the employee is employed. VHA OEM Headquarters will also provide 
information for updates of deployment status and availability. The 
Light Electronic Action Framework (LEAF) system is used to provide 
credentialing and privileging of health care providers and personnel.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    1. Selected information (such as name, station and telephone 
numbers) may be disclosed to other Federal departments and agencies 
that have an interest in or obligation to track or otherwise audit 
transfer of funds to VA for reimbursement of tasks.
    2. Statistical information and other data may be disclosed to 
Federal, SLTT government agencies to assist in disaster planning and 
after-action reports.
    3. Law Enforcement: To a Federal, SLTT or foreign law enforcement 
authority or other appropriate entity charged with the responsibility 
of investigating or prosecuting such violation or charged with 
enforcing or implementing such law, provided that the disclosure is 
limited to information that, either alone or in conjunction with other 
information, indicates a violation or potential violation of law, 
whether civil, criminal or regulatory in nature. The disclosure of the 
names and addresses of Veterans and their dependents from VA records 
under this routine use must also comply with the provisions of 38 
U.S.C. 5701.
    4. Disclosure may be made to any source, such as a police 
department or the Federal Bureau of Investigation, from which 
additional information is requested to the extent necessary to identify 
the individual, inform the source of the purpose(s) of the request, and 
to identify the type of information requested such as DEMPS, Clinical 
Deployment Team, Telehealth Emergency Management, or other VHA 
personnel present at a crime scene caused by terrorists.
    5. Disclosure may be made to an agency in the executive, 
legislative, or judicial branch or the District of Columbia Government 
in response to its request, or at the initiation of VA, for information 
in connection with the selection of an employee for the deployment and 
future training of an individual, the letting of a contract, the 
issuance of a license, grant or other benefits by the requesting 
agency, or the lawful statutory, administrative or investigative 
purpose of the agency to the extent that the information is relevant 
and necessary to the requesting agency's deployment/Federal Response 
Framework needs.
    6. Congress: To a Member of Congress or staff acting upon the 
Member's behalf when the Member or staff requests the information on 
behalf of, and at the request of, the individual who is the subject of 
the record.
    7. National Archives and Records Administration (NARA): To NARA in 
records management inspections conducted under 44 U.S.C. 2904 and 2906, 
or other functions authorized by laws and policies governing NARA 
operations and VA records management responsibilities.
    8. State Licensing Boards, for Licensing: To a Federal agency, a 
state or local government licensing board, the Federation of State 
Medical Boards or a similar non-governmental entity that maintains 
records concerning individuals' employment histories or concerning the 
issuance, retention or revocation of licenses, certifications or 
registration necessary to practice an occupation, profession or 
specialty, to inform such non-governmental entities about the health 
care practices of a terminated, resigned or retired health care 
employee whose professional health care activity so significantly 
failed to conform to generally accepted standards of professional 
medical practice as to raise reasonable concern for the health and 
safety of patients in the private sector or from another Federal 
Agency. These records may also be disclosed as part of an ongoing 
computer matching program to accomplish these purposes.
    9. The Joint Commission, for Accreditation: To survey teams of The 
Joint Commission, College of American Pathologists, American 
Association of Blood Banks, and similar national accreditation agencies 
or boards with which VA has a contract or agreement to conduct such 
reviews, as relevant and necessary for the purpose of program review or 
the seeking of accreditation or certification.
    10. Data Breach Response and Remediation, for Another Federal 
Agency: To another Federal agency or Federal entity, when VA determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (1) responding to a suspected 
or confirmed breach or (2) preventing, minimizing or remedying the risk 
of harm to individuals, the recipient agency or entity (including its 
information systems, programs, and operations), the Federal Government 
or national security, resulting from a suspected or confirmed breach.
    11. Department of Justice (DoJ), Litigation, Administrative 
Proceeding: To DoJ, or in a proceeding before a court, adjudicative 
body or other administrative body before which VA is authorized to 
appear, when:
    (a) VA or any component thereof;
    (b) Any VA employee in their official capacity;
    (c) Any VA employee in their individual capacity where DoJ has 
agreed to represent the employee; or
    (d) The United States, where VA determines that litigation is 
likely to affect the agency or any of its components, is a party to 
such proceedings or has an interest in such proceedings, and VA 
determines that use of such records is relevant and necessary to the 
proceedings.
    12. Information on deployment to Federal/VHA emergencies, 
performance, or other personnel-related material may be disclosed to 
any facility with which there is, or there is proposed to be, an 
affiliation, sharing agreement, contract or similar arrangement, for 
purposes of establishing, maintaining or expanding any such 
relationship.
    13. Information concerning a health care provider's professional 
qualifications and clinical privileges may be disclosed to a VA/
emergency disaster-served client patient, or the representative or 
guardian of a patient who, due to physical or mental incapacity, lacks 
sufficient understanding or legal capacity to make decisions concerning 
his or her medical care, who is receiving or contemplating receiving 
medical or other patient care services from the provider when the 
information is needed by the patient or the patient's representative or 
guardian in order to make a decision related to the initiation of 
treatment, continuation or discontinuation of treatment, or receiving a 
specific treatment that is proposed or planned by the provider. 
Disclosure will be limited to information concerning the health care 
provider's professional qualifications (professional education, 
training and current licensure/certification status), professional 
employment history and current clinical privileges.
    14. Unions: To officials of labor organizations recognized under 5 
U.S.C. chapter 71(b)(4) when relevant and necessary to their duties of 
exclusive representation concerning personnel policies, practices and 
matters affecting working conditions.

[[Page 25077]]

    15. Information may be disclosed to the VA-appointed representative 
of an employee of all notices, determinations, decisions or other 
written communications issued to the employee in connection with an 
examination ordered by VA under medical evaluation (formerly fitness-
for-duty) examination procedures or Department-filed disability 
retirement procedures.
    16. Merit Systems Protection Board (MSPB): To the MSPB and the 
Office of the Special Counsel in connection with appeals, special 
studies of the civil service and other merit systems, review of rules 
and regulations, investigation of alleged or possible prohibited 
personnel practices and such other functions promulgated in 5 U.S.C. 
1205 and 1206, or as authorized by law.
    17. Equal Employment Opportunity Commission (EEOC): To the EEOC in 
connection with investigations of alleged or possible discriminatory 
practices, examination of Federal affirmative employment programs or 
other functions of the Commission as authorized by law.
    18. Federal Labor Relations Authority (FLRA): To the FLRA in 
connection with: The investigation and resolution of allegations of 
unfair labor practices, the resolution of exceptions to arbitration 
awards when a question of material fact is raised; matters before the 
Federal Service Impasses Panel; and the investigation of representation 
petitions and the conduct or supervision of representation elections.
    19. Contractors: To contractors, grantees, experts, consultants, 
students and others performing or working on a contract, service, 
grant, cooperative agreement or other assignment for VA, when 
reasonably necessary to accomplish an agency function related to the 
records.
    20. Federal Agencies, Fraud and Abuse: To other Federal agencies to 
assist such agencies in preventing and detecting possible fraud or 
abuse by individuals in their operations and programs.
    21. Data Breach Response and Remediation, for VA: To appropriate 
agencies, entities and persons when (1) VA suspects or has confirmed 
that there has been a breach of the system of records; (2) VA has 
determined that as a result of the suspected or confirmed breach there 
is a risk to individuals, VA (including its information systems, 
programs and operations), the Federal Government or national security; 
and (3) the disclosure made to such agencies, entities or persons 
reasonably necessary to assist in connection with VA efforts to respond 
to the suspected or confirmed breach or to prevent, minimize or remedy 
such harm.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Automated records are maintained at all levels of management 
outlined in system location. Automated information is stored in this 
database.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records in this system are retrieved by the name, professional 
title, VISN, home station, professional specialty, job position title, 
etc., of the individuals on whom they are maintained.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    An automated database of deployable personnel will be maintained by 
VHA OEM. If an individual transfers to another VA facility location, 
the individual's data will be reassigned within the system to the new 
location. Records in this system are retained and disposed of in 
accordance with the schedule approved by the Archivist of the United 
States, VHA Records Control Schedule 10-1, Item Number 1270.1.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    1. Access to VA working and storage areas in VA health care 
facilities are restricted to VA employees on a need-to-know basis; 
strict control measures are enforced to ensure that disclosure to these 
individuals is also based on this same principle. Generally, VA file 
areas are locked after normal duty hours, and the health care 
facilities are protected from outside access by the VA Police Service, 
Federal Protective Service or other security personnel.
    2. All tiers of the VHA PIMS application stack are hosted in a 
highly available, resilient and redundant virtual hosting environment. 
The internet connection is provided through the Department of Energy's 
Energy Science Network (ES.NET), managed by ORAU under a DOE Authority 
to Operate (ATO). As part of the ATO, VHA PIMS has been built in 
accordance with applicable Federal Information Security Management Act 
and National Institute of Standards and Technology (NIST) security and 
privacy control requirements for Federal information systems with 
implementation of all baseline security controls commensurate with the 
Federal Information Processing Standard 199 system security 
categorization. ORAU handles data in PIMS in accordance with the 
appropriate NIST classification.

RECORD ACCESS PROCEDURES:
    Individuals seeking information on the existence and content of 
records in this system pertaining to them should contact the system 
manager in writing as indicated above, or the individuals may write, 
call or visit the VA facility location where they made application for 
employment or are (or were) employed. A request for access to records 
must contain the requester's full name, address, telephone number, be 
signed by the requester, and describe the records sought in sufficient 
detail to enable VA personnel to locate them with a reasonable amount 
of effort.

CONTESTING RECORD PROCEDURES:
    Individuals seeking to contest or amend records in this system 
pertaining to them should contact the system manager in writing as 
indicated above. A request to contest or amend records must state 
clearly and concisely what record is being contested, the reasons for 
contesting it, and the proposed amendment to the record.

NOTIFICATION PROCEDURES:
    Generalized notice is provided by the publication of this notice. 
For specific notice, see Record Access Procedure, above.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    65 FR 25531 (May 2, 2000); 75 FR 4458 (January 27, 2010).

[FR Doc. 2023-08710 Filed 4-24-23; 8:45 am]
BILLING CODE 8320-01-P