Privacy Act of 1974; System of Records, 32289-32292 [2023-10732]

Agencies

• DEPARTMENT OF VETERANS AFFAIRS

[Federal Register Volume 88, Number 97 (Friday, May 19, 2023)]
[Notices]
[Pages 32289-32292]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-10732]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Veterans Health Administration (VHA), Department of Veterans 
Affairs (VA).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the Privacy Act of 1974, notice is hereby given 
that the VA is modifying the system of records entitled, ``Telephone 
Service for Clinical Care Records-VA'' (113VA112). This system is used 
to provide clinical and administrative support to patient care as well 
as provide medical and administrative documentation of the care and/or 
services provided in Call Centers. This system is also used for 
improving Call Center staff's ability to provide telephone care 
services to Veterans and the quality of the service by having immediate 
access to records of calls made previously by the Veteran.

DATES: Comments on this amended system of records must be received no 
later than 30 days after date of publication in the Federal Register. 
If no public comment is received during the period allowed for comment 
or unless otherwise published in the Federal Register by the VA, the 
modified system of records will become effective a minimum of 30 days 
after date of publication in the Federal Register. If VA receives 
public comments, VA shall review the comments to determine whether any 
changes to the notice are necessary.

ADDRESSES: Comments may be submitted through www.Regulations.gov or 
mailed to VA Privacy Service, 810 Vermont Avenue NW, (005R1A), 
Washington, DC 20420. Comments should indicate that they are submitted 
in response to ``Telephone Service for Clinical Care Records-VA'' 
(113VA112). Comments received will be available at regulations.gov for 
public viewing, inspection or copies.

FOR FURTHER INFORMATION CONTACT: Stephania Griffin, VHA Chief Privacy 
Officer, Department of Veterans Affairs, 810 Vermont Avenue NW, 
Washington, DC 20420; telephone (704) 245-2492 (Note: this is not a 
toll-free number).

SUPPLEMENTARY INFORMATION: VA is modifying the system of records by 
revising the System Number; System Location; System Manager; Purpose of 
the System; Categories of Individuals Covered by the System; Records 
Source Categories; Routine Uses of Records Maintained in the System; 
Policies and Practices for Storage of Records; and Policies and 
Practices for Retention and Disposal of Records. VA is republishing the 
system notice in its entirety.
    The System Number will be changed from 113VA112 to 113VA10 to 
reflect the current VHA organizational routing symbol.
    The System Location is being modified to remove ``records located 
at each Call Center.'' This section will include the Corporate Data 
Warehouse, Austin Information Technology Center (AITC) in Austin, 
Texas. Also, Employee Education Systems is being replaced with 
Institute for Learning, Education and Development (ILEAD).
    The System Manager is being updated to replace, ``with, Assistant 
Under Secretary for Health'' for ``Integrated Veteran Care.''
    The Purpose of the System is being modified to remove ``Utilization 
Review Accreditation Commission (URAC) for the accreditation of a Call 
Center or facility.'' This section will include another accreditation 
agency.
    Categories of Individuals Covered by the System is being modified 
to include non-enrolled patients.
    Categories of Records is being updated to replace 79VA19 with 
79VA10, and 24VA19 is replaced with 24VA10A7.
    The language in Routine Use #7 is being updated to include other 
licensed health care practitioners.
    The following routine use is added and will be routine use #17, 
``Data Breach Response and Remediation, For Another Agency: To another 
Federal agency or Federal entity, when VA determines that information 
from this system of records is reasonably necessary to assist the 
recipient agency or entity in; (1) responding to a suspected or 
confirmed breach; or (2) preventing, minimizing or remedying the risk 
of harm to individuals, the recipient agency or entity (including its 
information systems, programs and operations), the Federal Government 
or national security, resulting from a suspected or confirmed breach.''
    Policies and Practices for Storage of Records is being modified to 
remove ``automated storage media, such as magnetic tape, disc or laser 
optical media.'' This section will now include ``VistA and Computerized 
Patient Record System.''
    Policies and Practices for Retention and Disposal of Records is 
being modified to include Item Numbers 1930.2 and 1930.4.
    The Report of Intent to Amend a System of Records Notice and an 
advance copy of the system notice have been sent to the appropriate 
Congressional committees and to the Director of the Office of 
Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy 
Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

Signing Authority

    The Senior Agency Official for Privacy, or designee, approved this 
document and authorized the undersigned to sign and submit the document 
to the Office of the Federal Register for publication electronically as 
an official document of the Department of Veterans Affairs. Kurt D. 
DelBene, Assistant Secretary for Information and Technology and Chief 
Information Officer, approved this document on April 7, 2023 for 
publication.

    Dated: May 16, 2023.
Amy L. Rose,
Program Analyst, VA Privacy Service, Office of Information Security, 
Office of Information and Technology, Department of Veterans Affairs.

SYSTEM NAME AND NUMBER:
    ``Telephone Service for Clinical Care Records-VA'' (113VA10).

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Records are located at each of the Veterans Integrated Service 
Network (VISN) Offices, which are operated at the Department of Veteran 
Affairs (VA) health care facilities or at contractor locations; and the 
Corporate Data Warehouse, Austin Information Technology Center (AITC) 
in Austin, Texas. In addition, information from clinical symptom calls 
is maintained in the patient's medical record at VA health care 
facilities; VISNs; and at the VA Institute for Learning, Education and 
Development (ILEAD), 810 Vermont Avenue NW, Washington, DC 20420. VA 
facility addresses are listed in VA Appendix 1 of the biennial 
publication of VA Privacy Act Issuances.

[[Page 32290]]

SYSTEM MANAGER(S):
    Official responsible for policies and procedures for Clinical 
Contact Centers: Assistant Under Secretary for Health for Integrated 
Veteran Care, VA, 810 Vermont Avenue NW, (16A), Washington, DC 20420. 
Telephone number (202) 461-4242 (this is not a toll-free number). 
Officials maintaining the system: Network and/or facility director at 
the Network and/or facility where the individuals are associated.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    38 U.S.C. 501.

PURPOSE(S) OF THE SYSTEM:
    The purpose of these records is to provide clinical and 
administrative support to patient care as well as provide medical and 
administrative documentation of the care and/or services provided in 
Call Centers. The records may also be used to improve Call Center 
staff's ability to provide telephone care services to Veterans and the 
quality of the service by having immediate access to records of calls 
made previously by the Veteran. Records may likewise be used for 
purposes of notifying VA providers of the patient's condition and 
status, the criteria used to judge the status of the patient and/or the 
information given to the external provider on follow-up steps that they 
must take to receive authorization for the care. Records may also be 
used to assess and improve the quality of the services provided through 
telephone care services and to produce various management and patient 
follow-up reports. Records may additionally be used to respond to 
patients, families and other inquiries, including at times non-VA 
clinicians and The Joint Commission (TJC) or another accreditation 
agency. Records, when stripped of individual patient identifiers, may 
also be used to conduct health care related studies, statistical 
analysis and resource allocation. The clinical information is 
integrated into the patient's overall health record, into quality 
improvement plans and activities of the facility, such as utilization 
review and risk management. Records are also used to improve Call 
Center services, such as patient education, the improved integration of 
clinical care, the provision of telephone care services and 
communication.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The records include information concerning individual enrolled and 
non-enrolled patients.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records may include information related to:
    1. Clinical care such as clinical symptoms, questions asked about 
symptoms, answers received, clinical protocol used, and advice 
provided. It might include doctors' orders for patient care such as 
nursing care; current medications; scheduling and delivery; 
consultations, radiology, laboratory and other diagnostic and 
therapeutic examinations and results; clinical protocol and other 
reference materials; education provided, including title of education 
material and reports of contact with individuals or groups. It includes 
information related to the patient's or family member's understanding 
of the advice given and their plan of action and, sometimes, the 
effectiveness of those actions.
    2. Record of all calls made to the Call Center, including caller 
questions about medications, their uses and side effects, requests for 
renewals of prescriptions, appointment changes, benefits information 
and the actions taken related to each call, including the notification 
of providers and other staffs about the call.
    3. Contact information from private sector medical facilities or 
clinicians contacting the VA about issues such as enrolled Veterans' 
visits to an emergency department or admissions to a community medical 
center.

RECORD SOURCE CATEGORIES:
    Record sources include enrolled patients; patients' families and 
friends; private medical facilities and their clinical and 
administrative staff; health care professionals; Patient Medical 
Records-VA (24VA10A7); Veterans Health Information Systems and 
Technology Architecture (VistA) (79VA10); VA health care providers; and 
Call Center nurses and administrative staff.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    To the extent that records contained in the system include 
information protected by 45 CFR parts 160 and 164, i.e., individually 
identifiable health information of VHA or any of its business 
associates, and 38 U.S.C. 7332; i.e., medical treatment information 
related to drug abuse, alcoholism or alcohol abuse, sickle cell anemia, 
or infection with the human immunodeficiency virus, that information 
cannot be disclosed under a routine use unless there is also specific 
statutory authority in both 38 U.S.C. 7332 and 45 CFR parts 160, 161, 
and 164.
    1. Congress: To a Member of Congress or staff acting upon the 
Member's behalf when the Member or staff requests the information on 
behalf of, and at the request of, the individual who is the subject of 
the record.
    2. To the Department of Justice (DoJ), Litigation, Administrative 
Proceeding: To DoJ, or in a proceeding before a court, adjudicative 
body or other administrative body before which VA is authorized to 
appear, when:
    (a) VA or any component thereof;
    (b) Any VA employee in his or her official capacity;
    (c) Any VA employee in his or her individual capacity where DoJ has 
agreed to represent the employee; or
    (d) The United States, where VA determines that litigation is 
likely to affect the agency or any of its components,

    is a party to such proceedings or has an interest in such 
proceedings and VA determines that the use of such records is relevant 
and necessary to the proceedings.
    3. State Licensing Boards (SLBs), for Licensing: To a Federal 
agency, a State or local government licensing board, the Federation of 
State Medical Boards or a similar non-governmental entity that 
maintains records concerning individuals' employment histories or 
concerning the issuance, retention or revocation of licenses, 
certifications or registration necessary to practice an occupation, 
profession or specialty. This information can be used to inform such 
non-governmental entities about the health care practices of a 
terminated, resigned or retired health care employee whose professional 
health care activity so significantly failed to conform to generally 
accepted standards of professional medical practice as to raise 
reasonable concern for the health and safety of patients in the private 
sector or from another Federal agency. These records may also be 
disclosed as part of an ongoing computer matching program to accomplish 
these purposes.
    4. TJC, for Accreditation: To survey teams of TJC, College of 
American Pathologists, American Association of Blood Banks and similar 
national accreditation agencies or boards with which VA has a contract 
or agreement to conduct such reviews, as relevant and necessary for the 
purpose of program review or the seeking of accreditation or 
certification.
    5. Former Employee, Contractor or Representative, for SLB 
Reporting: To a former VA employee or contractor, as well as the 
authorized representative of

[[Page 32291]]

a current or former employee or contractor of VA, in connection with or 
in consideration of reporting that the individual's professional health 
care activity so significantly failed to conform to generally accepted 
standards of professional medical practice as to raise reasonable 
concern for the health and safety of patients, to a Federal agency, a 
State or local government licensing board or the Federation of State 
Medical Boards or a similar nongovernmental entity that maintains 
records concerning individuals' employment histories or concerning the 
issuance, retention or revocation of licenses, certifications or 
registration necessary to practice an occupation, profession or 
specialty.
    6. National Practitioner Data Bank (NPDB), for Hiring or 
Privileging: To the NPDB at the time of hiring or clinical privileging/
re-privileging of health care practitioners, and at other times as 
deemed necessary by VA, in order for VA to obtain information relevant 
to a Department decision concerning the hiring, privileging/re-
privileging, retention or termination of the applicant or employee.
    7. NPDB, SLB, for Medical Malpractice: To the NPDB or an SLB in the 
State in which a practitioner is licensed, in which the VA facility is 
located or in which an act or omission occurred upon which a medical 
malpractice claim was based when VA reports information concerning; (1) 
Any payment for the benefit of a physician, dentist or other licensed 
health care practitioner that was made as the result of a settlement or 
judgment of a claim of medical malpractice, if an appropriate 
determination is made in accordance with Department policy that payment 
was related to substandard care, professional incompetence or 
professional misconduct on the part of the individual; (2) a final 
decision that relates to possible incompetence or improper professional 
conduct that adversely affects the clinical privileges of a physician, 
dentist, or other licensed health care practitioner for a period longer 
than 30 days; or (3) the acceptance of the surrender of clinical 
privileges or any restriction of such privileges by a physician, 
dentist, or other licensed health care practitioner either while under 
investigation by the health care entity relating to possible 
incompetence or improper professional conduct or in return for not 
conducting such an investigation or proceeding. These records may also 
be disclosed as part of a computer matching program to accomplish these 
purposes.
    8. Medical School, for Evaluating Students: To a medical or nursing 
school, other health care related training institution or other 
facility with which VA has an affiliation, sharing agreement, contract 
or similar arrangement, when the student or provider is enrolled at or 
employed by the school or training institution or other facility, and 
the information is needed for personnel management, rating or 
evaluation purposes, provided that VA discloses from a named patient's 
VA medical record that relates to the performance of a health care 
student or provider.
    9. Contractors: To contractors, grantees, experts, consultants, 
students and others performing or working on a contract, service, 
grant, cooperative agreement or other assignment for VA, when 
reasonably necessary to accomplish an agency function related to the 
records.
    10. Federal Agencies, for Employment: To a Federal agency, except 
the United States Postal Service, or to the District of Columbia 
government, in response to its request, in connection with that 
agency's decision on the hiring, transfer or retention of an employee, 
the issuance of a security clearance, the letting of a contract, or the 
issuance of a license, grant or other benefit by that agency.
    11. Family or Partner, for Notification of Patient Status: To 
family members or the persons with whom the patient has a meaningful 
relationship, by appropriate VA personnel, to the extent necessary, on 
a need-to-know basis, and consistent with good medical-ethical 
practices.
    12. Law Enforcement: To a Federal, State, local, Territorial, 
Tribal or foreign law enforcement authority or other appropriate entity 
charged with the responsibility of investigating or prosecuting such 
violation or charged with enforcing or implementing such law, provided 
that the disclosure is limited to information that, either alone or in 
conjunction with other information, indicates a violation or potential 
violation of law, whether civil, criminal or regulatory in nature. The 
disclosure of the names and addresses of Veterans and their dependents 
from VA records under this routine use must also comply with the 
provisions of 38 U.S.C. 5701.
    13. Non-VA physician or medical facility staff: To a non-VA 
physician or medical facility staff caring for a Veteran for the 
purpose of providing relevant clinical information in an urgent or 
emergent situation.
    14. National Archives and Records Administration (NARA): To NARA in 
records management inspections conducted under 44 U.S.C. 2904 and 2906, 
or other functions authorized by laws and policies governing NARA 
operations and VA records management responsibilities.
    15. Federal Agencies, Fraud and Abuse: To other Federal agencies to 
assist such agencies in preventing and detecting possible fraud or 
abuse by individuals in their operations and programs.
    16. Data Breach Response and Remediation, for VA: To appropriate 
agencies, entities and persons when; (1) VA suspects or has confirmed 
that there has been a breach of the system of records; (2) VA has 
determined that as a result of the suspected or confirmed breach there 
is a risk to individuals, VA (including its information systems, 
programs and operations), the Federal Government or national security; 
and (3) the disclosure made to such agencies, entities or persons is 
reasonably necessary to assist in connection with VA efforts to respond 
to the suspected or confirmed breach or to prevent, minimize or remedy 
such harm.
    17. Data Breach Response and Remediation, for Another Federal 
Agency: To another Federal agency or Federal entity, when VA determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in; (1) responding to a suspected 
or confirmed breach; or (2) preventing, minimizing or remedying the 
risk of harm to individuals, the recipient agency or entity (including 
its information systems, programs and operations), the Federal 
Government or national security, resulting from a suspected or 
confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are maintained in the electronic health record, VistA and 
Computerized Patient Record System.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records in this system are retrieved by name, Social Security 
Number or other assigned identifier of the enrolled Veteran who is 
calling or about whom the call is being made.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records in this system are retained and disposed of in accordance 
with the schedule approved by the Archivist of the United States, VHA 
Records Control Schedule 10-1, Item Numbers 1930.2 and 1930.4.

[[Page 32292]]

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    1. Access to patient-specific information located in Call Center 
databases and storage areas is restricted to VA employees and contract 
personnel on a ``need-to-know'' basis; strict control measures are 
enforced to ensure that disclosure to these individuals is also based 
on this same principle. Generally, VA Call Center areas are locked 
after normal duty hours or when the Call Center is closed, and the 
facilities are protected from outside access by the Federal Protective 
Service or other security personnel.
    2. Access to VA and contracted Call Centers and computer rooms is 
generally limited by appropriate locking devices and restricted to 
authorized VA employees and vendor personnel. Information in VistA may 
be accessed by authorized VA employees or authorized contract 
employees. Access to file information is controlled at two levels; the 
system recognized authorized employees or contract employees by a 
series of individually unique passwords/codes as a part of each data 
message, and personnel are limited to only that information in the file 
which is needed in the performance of their official duties. 
Information that is downloaded from VistA and maintained on VA is 
afforded similar storage and access protections as the data that is 
maintained in the original files access to information stored on 
automated storage media at other VA and contract locations is 
controlled by individually unique passwords/codes.
    3. Remote access to VHA information in VistA is provided to those 
Call Center employees, either VA or contract staff, that require access 
to information stored in the health record. Access to this information 
is protected through hardened user access and is controlled by 
individual unique passwords. Additionally, contracted Call Centers, 
either VA or private sector, are required to have a separate computer 
security plan that meets national information security requirements.

RECORD ACCESS PROCEDURES:
    Individuals seeking information on the existence and content of 
records in this system pertaining to them should contact the system 
manager in writing as indicated above or may write or visit the VA 
facility location where they normally receive their care. A request for 
access to records must contain the requester's full name, address, 
telephone number, be signed by the requester, and describe the records 
sought in sufficient detail to enable VA personnel to locate them with 
a reasonable amount of effort.

CONTESTING RECORD PROCEDURES:
    Individuals seeking to contest or amend records in this system 
pertaining to them should contact the system manager in writing as 
indicated above. A request to contest or amend records must state 
clearly and concisely what record is being contested, the reasons for 
contesting it, and the proposed amendment to the record.

NOTIFICATION PROCEDURES:
    Generalized notice is provided by the publication of this notice. 
For specific notice, see Record Access Procedure, above.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    67 FR 63497 (October 11, 2002); 74 FR 21742 (May 8, 2009).

[FR Doc. 2023-10732 Filed 5-18-23; 8:45 am]
BILLING CODE 8320-01-P