Privacy Act of 1974; System of Records, 32292-32296 [2023-10726]

Agencies

• DEPARTMENT OF VETERANS AFFAIRS

[Federal Register Volume 88, Number 97 (Friday, May 19, 2023)]
[Notices]
[Pages 32292-32296]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-10726]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA), Office of Mental Health 
and Suicide Prevention (OMHSP).

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: The Privacy Act of 1974 requires that all agencies publish in 
the Federal Register a notice of the existence and character of their 
systems of records. Notice is hereby given that the Department of 
Veterans Affairs (VA) is establishing a new system of records entitled, 
``PAWS Portal-VA'' (212VA10). ``PAWS'' is an acronym for ``Puppies 
Assisting Wounded Servicemembers''.

DATES: Comments on this new system of records must be received no later 
than 30 days after date of publication in the Federal Register. If no 
public comment is received during the period allowed for comment or 
unless otherwise published in the Federal Register by VA, the new 
system of records will become effective a minimum of 30 days after date 
of publication in the Federal Register. If VA receives public comments, 
VA shall review the comments to determine whether any changes to the 
notice are necessary.

ADDRESSES: Comments may be submitted through www.Regulations.gov or 
mailed to VA Privacy Service, 810 Vermont Avenue NW, (005R1A), 
Washington, DC 20420. Comments should indicate that they are submitted 
in response to ``PAWS Portal-VA'' (212VA10). Comments received will be 
available at www.Regulations.gov for public viewing, inspection or 
copies.

FOR FURTHER INFORMATION CONTACT: Stephania Griffin, Veterans Health 
Administration (VHA) Privacy Officer, Department of Veterans Affairs, 
810 Vermont Avenue NW, Washington, DC 20420, [email protected], 
telephone number 704-245-2492 (Note: This is not a toll-free number).

SUPPLEMENTARY INFORMATION: 

I. Description of Proposed Systems of Records

    Information in this system of records is used to establish and 
maintain records of individuals participating in the Puppies Assisting 
Wounded Servicemembers for Veterans (PAWS) program. The Puppies 
Assisting Wounded Servicemembers for Veterans Therapy Act (hereinafter 
referred to as ``the Act'') was signed into law by the President on 
August 25, 2021 (Pub. L. 117-37, 125, Stat. 329). Section (2) of the 
Act requires VA to conduct a pilot program to provide canine training 
to eligible Veterans. Section 2(h) establishes VA's reporting 
requirements associated with the five-year pilot. Information is 
maintained in the PAWS Portal. The Portal will be the administrative 
repository of information required to support the program with ongoing 
assessment and monitoring. Designated VA staff will enter the contact 
and assessment information into the portal for each Veteran. This 
information will be available to service dog organizations (SDOs) to 
track attendance. Additionally, de-identified data generated from the 
PAWS Portal will be used in reports to OMHSP, VA Central Office and 
Congress on the effectiveness of the program. The PAWS Portal will 
collect Veteran patient demographic data to evaluate the success of the 
program.

II. Proposed Routine Use Disclosures of Data in the System

    We are proposing to establish the following routine use disclosures 
of information maintained in the system.
    1. Congress: VA may disclose information to a Member of Congress or 
staff acting upon the Member's behalf when the Member or staff requests 
the information on behalf of, and at the request of, the individual who 
is the subject of the record.
    2. Data breach response and remediation, for VA: VA may disclose 
information to appropriate agencies,

[[Page 32293]]

entities, and persons when (1) VA suspects or has confirmed that there 
has been a breach of the system of records,[middot] (2) VA has 
determined that as a result of the suspected or confirmed breach there 
is a risk of harm to individuals, VA (including its information 
systems, programs, and operations), the Federal Government, or national 
security; and (3) the disclosure made to such agencies, entities, and 
persons is reasonably necessary to assist in connection with VA's 
efforts to respond to the suspected or confirmed breach or to prevent, 
minimize, or remedy such harm.
    3. Data breach response and remediation, for another Federal 
agency: VA may disclose information to another Federal agency or 
Federal entity, when VA determines that the information from this 
system of records is reasonably necessary to assist the recipient 
agency or entity in (1) responding to a suspected or confirmed breach 
or (2) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    4. Law Enforcement: VA may disclose information to a Federal, 
state, local, territorial, tribal, or foreign law enforcement authority 
or other appropriate entity charged with the responsibility of 
investigating or prosecuting such violation or charged with enforcing 
or implementing such law, provided that the disclosure is limited to 
information that, either alone or in conjunction with other 
information, indicates a violation or potential violation of law, 
whether civil, criminal, or regulatory in nature. The disclosure of the 
names and addresses of Veterans and their dependents from VA records 
under this routine use must also comply with the provisions of 38 
U.S.C. 5701.
    5. DoJ for Litigation or Administrative Proceeding: VA may disclose 
information to the Department of Justice (DoJ), or in a proceeding 
before a court, adjudicative body, or other administrative body before 
which VA is authorized to appear, when:
    (a) VA or any component thereof;
    (b) Any VA employee in his or her official capacity;
    (c) Any VA employee in his or her individual capacity where DoJ has 
agreed to represent the employee; or
    (d) The United States, where VA determines that litigation is 
likely to affect the agency or any of its components, is a party to 
such proceedings or has an interest in such proceedings, and VA 
determines that use of such records is relevant and necessary to the 
proceedings.
    6. Contractors: VA may disclose information to contractors, 
grantees, experts, consultants, students, and others performing or 
working on a contract, service, grant, cooperative agreement, or other 
assignment for VA, when reasonably necessary to accomplish an agency 
function related to the records.
    7. OPM: VA may disclose information to the Office of Personnel 
Management (OPM) in connection with the application or effect of civil 
service laws, rules, regulations, or OPM guidelines in particular 
situations.
    8. EEOC: VA may disclose information to the Equal Employment 
Opportunity Commission (EEOC) in connection with investigations of 
alleged or possible discriminatory practices, examination of Federal 
affirmative employment programs, or other functions of the Commission 
as authorized by law.
    9. FLRA: VA may disclose information to the Federal Labor Relations 
Authority (FLRA) in connection with: the investigation and resolution 
of allegations of unfair labor practices, the resolution of exceptions 
to arbitration awards when a question of material fact is raised; 
matters before the Federal Service Impasses Panel; and the 
investigation of representation petitions and the conduct or 
supervision of representation elections.
    10. MSPB: VA may disclose information to the Merit Systems 
Protection Board (MSPB) in connection with appeals, special studies of 
the civil service and other merit systems, review of rules and 
regulations, investigation of alleged or possible prohibited personnel 
practices, and such other functions promulgated in 5 U.S.C. 1205 and 
1206, or as authorized by law.
    11. NARA: VA may disclose information to the National Archives and 
Records Administration (NARA) in records management inspections 
conducted under 44 U.S.C. 2904 and 2906, or other functions authorized 
by laws and policies governing NARA operations and VA records 
management responsibilities.
    12. Health Care Providers, for Referral by VA: VA may disclose 
information to: (1) a Federal agency or health care provider when VA 
refers a patient for medical and other health services, or authorizes a 
patient to obtain such services and the information is needed by the 
Federal agency or health care provider to perform the services; or (2) 
a Federal agency or to health care provider under the provisions of 38 
U.S.C. 513, 7409, 8111, or 8153, when treatment is rendered by VA under 
the terms of such contract or agreement or the issuance of an 
authorization, and the information is needed for purposes of medical 
treatment or follow-up, determination of eligibility for benefits, or 
recovery by VA of the costs of the treatment.
    13. Health Care Providers, for Referral to VA: VA may disclose 
information to a non-VA health care provider when that health care 
provider has referred the individual to VA for medical or other health 
services.
    14. Covered Entities, for their Health Care Operations: VA may 
disclose information to a covered entity for their health care 
operations, provided that the entity either has or had a relationship 
with the individual, and the disclosure is for the purpose of:
    (a) Conducting quality assessment and improvement activities; 
patient safety activities as defined in 42 CFR 3.20; population-based 
activities relating to improving health or reducing health care costs, 
protocol development, case management, and care coordination; 
contacting of health care providers and patients with information about 
treatment alternatives; and related functions that do not include 
treatment;
    (b) Reviewing the competence or qualifications of health care 
professionals; evaluating practitioner and provider performance, health 
plan performance; conducting training programs for health care 
practitioners, trainees, and students; training of non-health care 
professionals; accreditation, certification, licensing, or 
credentialing activities; or
    (c) Health care fraud and abuse detection or compliance.
    15. Federal Agencies, for Research: VA may disclose information to 
a Federal agency for the purpose of conducting research and data 
analysis to perform a statutory purpose of that Federal agency upon the 
written request of that agency.
    16. Researchers, for Research: VA may disclose information to 
epidemiological and other research facilities approved by the Under 
Secretary for Health for research purposes determined to be necessary 
and proper, provided that the names and addresses of Veterans and their 
dependents will not be disclosed unless those names and addresses are 
first provided to VA by the facilities making the request.
    17. OMB: VA may disclose information to the Office of Management 
and Budget (OMB) for the performance of its statutory

[[Page 32294]]

responsibilities for evaluating Federal programs.
    18. Nonprofits, for Release of Name and/or Address (RONA): VA may 
disclose information to a nonprofit organization if the release is 
directly connected with the conduct of programs and the utilization of 
benefits under title 38, provided that the disclosure is limited the 
names and addresses of present or former members of the armed services 
or their beneficiaries, the records will not be used for any purpose 
other than that stated in the request, and the organization is aware of 
the penalty provision of 38 U.S.C. 5701(f).

Signing Authority

    The Senior Agency Official for Privacy, or designee, approved this 
document and authorized the undersigned to sign and submit the document 
to the Office of the Federal Register for publication electronically as 
an official document of the Department of Veterans Affairs. Kurt D. 
DelBene, Assistant Secretary for Information and Technology and Chief 
Information Officer, approved this document on April 7, 2023 for 
publication.

    Dated: May 16, 2023.
Amy L. Rose,
Program Analyst, VA Privacy Service, Office of Information Security, 
Office of Information and Technology, Department of Veterans Affairs.

SYSTEM NAME AND NUMBER: ``PAWS PORTAL-VA'' (212VA10)
SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    These records are the responsibility of the Office of Mental Health 
and Suicide Prevention (OMHSP), Veterans Health Administration, 
Department of Veterans Affairs. The OMHSP is located at 810 Vermont 
Avenue NW, Washington, DC 20420. Records are maintained in the 
Microsoft Government Cloud at the Boydton Data Center in Boydton, 
Virginia.

SYSTEM MANAGER(S):
    Stacey Pollack, Ph.D., National Mental Health Director, Program 
Policy Implementation, Office of Mental Health and Suicide Prevention, 
810 Vermont Avenue NW, Washington, DC 20420, telephone number 202-738-
2932 (Note: This is not a toll-free number).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The Puppies Assisting Wounded Servicemembers for Veterans Therapy 
Act (hereinafter referred to as ``the Act'') was signed into law by the 
President on August 25, 2021 (Pub. L. 117-37, 125, Stat. 329).

PURPOSE(S) OF THE SYSTEM:
    The ``PAWS Portal-VA'' will be used to store information that is 
shared between the VA medical centers (VAMCs) participating as the 
pilot sites, and the service dog organizations (SDOs) providing the 
training. The Portal will be used to track Veteran attendance in the 
program as well as the management and effectiveness of the program. The 
Portal may also be used to determine the impact on Veteran care and 
capture information on Veteran satisfaction with the program. 
Additionally, de-identified data generated from the PAWS Portal will be 
used in reports to OMHSP, VA Central Office and Congress on the 
effectiveness of the program.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The records in the system are on Veterans who have received VA 
health care benefits under 38 U.S.C, Chapter 17, and SDO trainers 
participating in the program.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Information entered into the PAWS Portal includes demographic 
information, such as name, address, phone number, email address, and 
the last four of the Veteran's Social Security number. In addition, 
information regarding the Veteran's attendance in the program is 
collected, such as date of trainings and location of trainings. SDO 
trainer names and their email addresses are collected in this system. 
Eligibility-related information may also be collected, such as 
referrals, VA staff evaluations, correspondence, and documentation of 
phone calls, and any information regarding a safety issue around 
Veterans, SDO trainers, or dogs.

RECORD SOURCE CATEGORIES:
    Information in this system of records is provided by Veteran 
participants in the pilot program, the PAWS Portal VA staff, and by the 
SDO and their trainers.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    To the extent that records contained in the system include 
information protected by 45 CFR parts 160 and 164, i.e., individually 
identifiable health information of VHA or any of its business 
associates, and 38 U.S.C. 7332, i.e., medical treatment information 
related to drug abuse, sickle cell anemia, or infection with the human 
immunodeficiency virus, that information cannot be disclosed under a 
routine use unless there is also specific disclosure authority in both 
38 U.S.C. 7332 and 45 CFR parts 160 and 164.
    1. Congress: VA may disclose information to a Member of Congress or 
staff acting upon the Member's behalf when the Member or staff requests 
the information on behalf of, and at the request of, the individual who 
is the subject of the record.
    2. Data breach response and remediation, for VA: VA may disclose 
information to appropriate agencies, entities, and persons when (1) VA 
suspects or has confirmed that there has been a breach of the system of 
records; (2) VA has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals, VA (including 
its information systems, programs, and operations), the Federal 
Government, or national security; and (3) the disclosure made to such 
agencies, entities, and persons is reasonably necessary to assist in 
connection with VA's efforts to respond to the suspected or confirmed 
breach or to prevent, minimize, or remedy such harm.
    3. Data breach response and remediation, for another Federal 
agency: VA may disclose information to another Federal agency or 
Federal entity, when VA determines that the information from this 
system of records is reasonably necessary to assist the recipient 
agency or entity in (1) responding to a suspected or confirmed breach 
or (2) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    4. Law Enforcement: VA may disclose information to a Federal, 
state, local, territorial, tribal, or foreign law enforcement authority 
or other appropriate entity charged with the responsibility of 
investigating or prosecuting such violation or charged with enforcing 
or implementing such law, provided that the disclosure is limited to 
information that, either alone or in conjunction with other 
information, indicates a violation or potential violation of law, 
whether civil, criminal, or regulatory in nature. The disclosure of the 
names and addresses of Veterans and their dependents from VA records 
under this routine use must also comply with the provisions of 38 
U.S.C. 5701.
    5. DoJ for Litigation or Administrative Proceeding: VA may disclose 
information to the Department of Justice (DoJ), or in a proceeding 
before a court, adjudicative body, or other administrative body before 
which VA is authorized to appear, when:

[[Page 32295]]

    (a) VA or any component thereof;
    (b) Any VA employee in his or her official capacity;
    (c) Any VA employee in his or her individual capacity where DoJ has 
agreed to represent the employee; or
    (d) The United States, where VA determines that litigation is 
likely to affect the agency or any of its components, is a party to 
such proceedings or has an interest in such proceedings, and VA 
determines that use of such records is relevant and necessary to the 
proceedings.
    6. Contractors: VA may disclose information to contractors, 
grantees, experts, consultants, students, and others performing or 
working on a contract, service, grant, cooperative agreement, or other 
assignment for VA, when reasonably necessary to accomplish an agency 
function related to the records.
    7. OPM: VA may disclose information to the Office of Personnel 
Management (OPM) in connection with the application or effect of civil 
service laws, rules, regulations, or OPM guidelines in particular 
situations.
    8. EEOC: VA may disclose information to the Equal Employment 
Opportunity Commission (EEOC) in connection with investigations of 
alleged or possible discriminatory practices, examination of Federal 
affirmative employment programs, or other functions of the Commission 
as authorized by law.
    9. FLRA: VA may disclose information to the Federal Labor Relations 
Authority (FLRA) in connection with: the investigation and resolution 
of allegations of unfair labor practices, the resolution of exceptions 
to arbitration awards when a question of material fact is raised; 
matters before the Federal Service Impasses Panel; and the 
investigation of representation petitions and the conduct or 
supervision of representation elections.
    10. MSPB: VA may disclose information to the Merit Systems 
Protection Board (MSPB) in connection with appeals, special studies of 
the civil service and other merit systems, review of rules and 
regulations, investigation of alleged or possible prohibited personnel 
practices, and such other functions promulgated in 5 U.S.C. 1205 and 
1206, or as authorized by law.
    11. NARA: VA may disclose information to the National Archives and 
Records Administration (NARA) in records management inspections 
conducted under 44 U.S.C. 2904 and 2906, or other functions authorized 
by laws and policies governing NARA operations and VA records 
management responsibilities.
    12. Health Care Providers, for Referral by VA: VA may disclose 
information to: (1) a Federal agency or health care provider when VA 
refers a patient for medical and other health services, or authorizes a 
patient to obtain such services and the information is needed by the 
Federal agency or health care provider to perform the services; or (2) 
a Federal agency or to health care provider under the provisions of 38 
U.S.C. 513, 7409, 8111, or 8153, when treatment is rendered by VA under 
the terms of such contract or agreement or the issuance of an 
authorization, and the information is needed for purposes of medical 
treatment or follow-up, determination of eligibility for benefits, or 
recovery by VA of the costs of the treatment.
    13. Health Care Providers, for Referral to VA: VA may disclose 
information to a non-VA health care provider when that health care 
provider has referred the individual to VA for medical or other health 
services.
    14. Covered Entities, for their Health Care Operations: VA may 
disclose information to a covered entity for their health care 
operations, provided that the entity either has or had a relationship 
with the individual, and the disclosure is for the purpose of:
    (a) Conducting quality assessment and improvement activities; 
patient safety activities as defined in 42 CFR 3.20; population-based 
activities relating to improving health or reducing health care costs, 
protocol development, case management, and care coordination; 
contacting of health care providers and patients with information about 
treatment alternatives; and related functions that do not include 
treatment;
    (b) Reviewing the competence or qualifications of health care 
professionals; evaluating practitioner and provider performance, health 
plan performance; conducting training programs for health care 
practitioners, trainees, and students; training of non-health care 
professionals; accreditation, certification, licensing, or 
credentialing activities; or
    (c) Health care fraud and abuse detection or compliance.
    15. Federal Agencies, for Research: VA may disclose information to 
a Federal agency for the purpose of conducting research and data 
analysis to perform a statutory purpose of that Federal agency upon the 
written request of that agency.
    16. Researchers, for Research: VA may disclose information to 
epidemiological and other research facilities approved by the Under 
Secretary for Health for research purposes determined to be necessary 
and proper, provided that the names and addresses of Veterans and their 
dependents will not be disclosed unless those names and addresses are 
first provided to VA by the facilities making the request.
    17. OMB: VA may disclose information to the Office of Management 
and Budget (OMB) for the performance of its statutory responsibilities 
for evaluating Federal programs.
    18. Nonprofits, for Release of Name and/or Address (RONA): VA may 
disclose information to a nonprofit organization if the release is 
directly connected with the conduct of programs and the utilization of 
benefits under title 38, provided that the disclosure is limited the 
names and addresses of present or former members of the armed services 
or their beneficiaries, the records will not be used for any purpose 
other than that stated in the request, and the organization is aware of 
the penalty provision of 38 U.S.C. 5701(f).

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    These records are maintained in electronic storage media.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are retrieved by the Veteran's name, phone number, email 
address, the last four of their Social Security number, program 
attendance records or by any combination of these identifiers. Records 
are also retrieved by the name and email address of the SDO trainers 
participating in the program.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records will be retained and destroyed in accordance with the VA 
Records Control Schedule, RCS 10-1, 6400.2: Temporary, records are to 
be filed within the Veteran's electronic health records (DAA-0015-2015-
0005-0003) and 6400.3: Temporary, cutoff originals and copies at the 
end of calendar year. Destroy 7 years after cutoff (DAA-0015-2015-0005-
0004).

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    1. On an annual basis, employees are required to sign a computer 
access agreement acknowledging their understanding of confidentiality 
requirements. In addition, all employees receive annual privacy 
awareness and information security training. 2. Access to electronic 
records is deactivated when no longer required for official duties. 
Recurring monitors are in place to ensure compliance with nationally 
and locally established security

[[Page 32296]]

measures. 3. Strict control measures are enforced to ensure that access 
to and disclosure from all records are limited to VA and the SDO 
employees whose official duties warrant access to those files. 4. 
Access to the PAWS Portal is restricted and requires approval prior to 
access. Restricted access will be provided to enable workflow 
management to administer, monitor and track services delivered via the 
PAWS Portal.

RECORD ACCESS PROCEDURES:
    Individuals seeking information regarding access to and contesting 
of the PAWS Portal records may write or visit the VA health care 
facility where the PAWS program was attended or the VA health care 
facility that referred the Veteran to participate in the PAWS program 
offsite.

CONTESTING RECORD PROCEDURES:
    (See Record Access Procedures above.)

NOTIFICATION PROCEDURES:
    An individual who wishes to determine whether a record is being 
maintained in this system under his or her name or other personal 
identifier, or wants to review the contents of such record, should 
submit a written request, or apply in person to the VA health care 
facility where the PAWS program was attended or to the VA health care 
facility that referred the Veteran to participate in the PAWS program 
offsite. All inquiries must reasonably describe the portion of the 
medical record involved and the place and approximate date that medical 
care was provided. Inquiries should include the patient's full name, 
Social Security number, and return address.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    None.

[FR Doc. 2023-10726 Filed 5-18-23; 8:45 am]
BILLING CODE P