Privacy Act of 1974; System of Records, 13806-13809 [2024-03715]

Agencies

• DEPARTMENT OF VETERANS AFFAIRS

[Federal Register Volume 89, Number 37 (Friday, February 23, 2024)]
[Notices]
[Pages 13806-13809]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-03715]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Veterans Health Administration (VHA), Department of Veterans 
Affairs (VA).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the Privacy Act of 1974, notice is hereby given 
that the VA is modifying the system of records titled, ``My HealtheVet 
Administrative Records-VA'' (130VA10P2). This system is used to 
administer the My HealtheVet program, including registration and 
verification of Veteran identities or to register and authenticate 
those who have legal authority to participate in lieu of Veterans. It 
is also used to assign and verify administrators of the My HealtheVet 
portal, retrieve Veteran information to perform specific functions, and 
to allow access to specific information while providing other 
associated My HealtheVet electronic services in current and future 
program applications.

DATES: Comments on this amended system of records must be received no 
later than 30 days after date of publication in the Federal Register. 
If no public comment is received during the period allowed for comment 
or unless otherwise published in the Federal Register by the VA, the 
modified system of records will become effective a minimum of 30 days 
after date of publication in the Federal Register. If VA receives 
public comments, VA shall review the comments to determine whether any 
changes to the notice are necessary.

ADDRESSES: Comments may be submitted through www.Regulations.gov or 
mailed to VA Privacy Service, 810 Vermont Avenue NW, (005X6F), 
Washington, DC 20420. Comments should indicate that they are submitted 
in response to ``My HealtheVet Administrative Records-VA'' (130VA10P2). 
Comments received will be available at regulations.gov for public 
viewing, inspection or copies.

FOR FURTHER INFORMATION CONTACT: Stephania Griffin, VHA Chief Privacy 
Officer, 810 Vermont Avenue NW, Washington, DC 20420; telephone 704-
245-2492 (Note: this is not a toll-free number).

SUPPLEMENTARY INFORMATION: VA is amending the system of records by 
revising the System Number; System Location; Purpose of the System; 
Records Source Categories; Categories of Individuals Covered by the 
System; Categories of Records in the System; Routine Uses of Records 
Maintained in the System; Policies and Practices for Retrieval of 
Records; Policies and Practices for Retention and Disposal of Records; 
Administrative, Technical and Physical Safeguards; Record Access 
Procedure; Contesting Records Procedures; and Notification Procedure. 
VA is republishing the system notice in its entirety.
    The System Number is changed from 130VA10P2 to 130VA10 to reflect 
the current organizational alignment.
    The System Location is being amended to remove the VA National Data 
Centers and the contracted data storage system located in Culpepper, 
Virginia. Replacing this section is, ``VA Enterprise Cloud Data 
Centers/Amazon Web Services, 1915 Terry Avenue, Seattle, WA 98101, and 
the VA Health Data Repository, 1615 Woodward Street, Austin, TX 
78741.''
    The Purpose of the System is being amended to include, 
``administrative information may also be used for My HealtheVet help 
desk and staff to troubleshoot issues.''
    The Categories of Individuals Covered by the System number 3 is 
being amended to include ``i.e., Secure Messaging Administrators, My 
HealtheVet Coordinators, Role Administrators, VA Health Resource Center 
helpdesk staff.'' This section will remove number 5 stating, ``VA 
researchers fulfilling VA required authorization procedures.''
    The Categories of Records in the System section is being amended to 
remove mother's maiden name. This section is being updated to reflect 
the following language: ``These records include the following 
information for My HealtheVet users: name, birth sex, date of birth, 
social security number, ZIP code, email profile, secure messaging email 
address, user identification, internal control number, reference 
number, date of account creation, account status, match status, date 
and time of match, correlation status, Master Person Index (MPI)

[[Page 13807]]

authentication status, date of death from MPI, login date and time, 
deactivation date and time, deactivation description and status, place 
and date of registration, user block access and comments, delegate user 
identification associated with My HealtheVet accounts.''
    The My HealtheVet Staff (i.e., Coordinators and Providers) records 
include the following identification information: ``name, work 
telephone number, work email, VA network identification, job title, 
office and department, login date and time, web analytics for the 
purpose of monitoring site usage, My HealtheVet portal access 
termination date, role and role level, and user DUZ (number).''
    In the Records Source Categories section, number 2 is being updated 
to include delegates; number 3 will be updated to include 
administrative staff; number 4 is being updated to include developers 
and testers; number 5 is being updated to include MPI. Number 6 is 
being removed, ``VA researchers fulfilling VA required authorization 
procedures in VHA Directive 1200.01(1)''.
    Routine use number 10 is being added to state, ``To another Federal 
agency or Federal entity, when VA determines that information from this 
system of records is reasonably necessary to assist the recipient 
agency or entity in (a) responding to a suspected or confirmed breach 
or (b) preventing, minimizing or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.''
    Routine use number 11 is being added to state, ``VHA may disclose a 
My HealtheVet account user's information to a family member or friend 
after receiving the verbal permission of the My HealtheVet account 
user.''
    Routine use number 12 is being added to state, ``To officials of 
labor organizations recognized under 5 U.S.C. chapter 71 provided that 
the disclosure is limited to information identified in 5 U.S.C. 
7114(b)(4) that is relevant and necessary to their duties of exclusive 
representation concerning personnel policies, practices and matters 
affecting working conditions.''
    Policies and Practices for Retrieval of Records is being updated to 
include ``electronic data interchange personal identifier.''
    Policies and Practices for Retention and Disposal of Records is 
being updated to remove, ``Records from this system that are needed for 
audit purposes will be retained for at least six (6) years after a 
user's account becomes inactive. Routine records will be disposed of 
when the agency determines they are no longer needed for 
administrative, legal, audit, research, or other operational purposes, 
but no less than six (6) years from date of last account activity.'' 
This section is also being amended to include the Record Control 
Schedule (RCS) and Item Number(s).
    Administrative, Technical and Physical Safeguards is being updated 
to include number 5, ``VA Enterprise Cloud data storage conforms to 
security protocols as stipulated in VA Directives 6500 and 6517. Access 
control standards are stipulated in specific agreements with cloud 
vendors to restrict and monitor access.''
    Record Access Procedures is being amended to state, ``Individuals 
seeking information on the existence and content of records in this 
system pertaining to them should contact the system manager in writing 
as indicated above, or may write or visit the VA facility location 
where they normally receive their care. A request for access to records 
must contain the requester's full name, address, telephone number, be 
signed by the requester, and describe the records sought in sufficient 
detail to enable VA personnel to locate them with a reasonable amount 
of effort.''
    Contesting Record Procedures is being amended to state, 
``Individuals seeking to contest or amend records in this system 
pertaining to them should contact the system manager in writing as 
indicated above, or may write or visit the VA facility location where 
they normally receive their care. A request to contest or amend records 
must state clearly and concisely what record is being contested, the 
reasons for contesting it, and the proposed amendment to the record.''
    Notification Procedure is being amended to state, ``Generalized 
notice is provided by the publication of this notice. For specific 
notice, see Record Access Procedure, above.''
    The Report of Intent to Amend a System of Records Notice and an 
advance copy of the system notice have been sent to the appropriate 
Congressional committees and to the Director of the Office of 
Management and Budget (OMB) as required by 5 U.S.C. 552al (Privacy Act) 
and guidelines issued by OMB (65 FR 77677), December 12, 2000.

Signing Authority

    The Senior Agency Official for Privacy, or designee, approved this 
document and authorized the undersigned to sign and submit the document 
to the Office of the Federal Register for publication electronically as 
an official document of the Department of Veterans Affairs. Kurt D. 
DelBene, Assistant Secretary for Information and Technology and Chief 
Information Officer, approved this document on January 18, 2024 for 
publication.

    Dated: February 20, 2024.
Amy L. Rose,
Government Information Specialist, VA Privacy Service, Office of 
Compliance, Risk and Remediation, Office of Information and Technology, 
Department of Veterans Affairs.

SYSTEM NAME AND NUMBER:
    ``My HealtheVet Administrative Records-VA'' (130VA10).

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Records are maintained at Veterans Health Administration (VHA) 
facilities, Department of Veterans Affairs (VA) Enterprise Cloud Data 
Centers/Amazon Web Services, 1915 Terry Avenue, Seattle, WA 98101, and 
the VA Health Data Repository, 1615 Woodward Street, Austin, TX 78741. 
Address locations for VHA facilities are listed in VA Appendix 1 of the 
biennial publications of the VA system of records.

SYSTEM MANAGER(S):
    Official responsible for policies and procedures: Director of 
Veterans and Consumers Health Informatics Office, 8455 Colesville Road, 
Suite 1200, Silver Spring, Maryland 20910. Officials maintaining this 
system of record: VHA facilities (address locations for VHA facilities 
are listed in VA Appendix 1 of the biennial publications of the VA 
system of records) and the My HealtheVet Chief Information Officer, 550 
Foothill Drive, Suite 400, Salt Lake City, Utah 84113.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    38 U.S.C. 501.

PURPOSE(S) OF THE SYSTEM:
    The purpose of this system of records is to administer the My 
HealtheVet program, including registration and verification of Veteran 
identities or to register and authenticate those who have legal 
authority to participate in lieu of Veterans. It is also used to assign 
and verify administrators of the My HealtheVet portal, retrieve Veteran 
information to perform specific functions, and to allow access to 
specific information while providing other associated My HealtheVet 
electronic services in current and future program applications. The

[[Page 13808]]

administrative information may also be used for My HealtheVet help desk 
and staff to troubleshoot issues, create administrative business 
reports for system owners and VA managers who are responsible for 
ensuring the My HealtheVet system is meeting performance expectations 
and is in compliance with applicable Federal laws and regulations. 
Administrative information may also be used for evaluation to support 
program improvement, including VA-approved research studies.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individuals covered by this system encompass: (1) All individuals 
who successfully register for a My HealtheVet account and whose 
identity has been verified; (2) Representatives of the above 
individuals who have been provided Delegate access to My HealtheVet 
including, but not limited to, Power of Attorney (POA), legal guardian, 
or VA and non-VA health care providers; (3) VA health care providers 
and certain administrative staff (i.e., Secure Messaging 
Administrators, My HealtheVet Coordinators, Role Administrators, VA 
Health Resource Center helpdesk staff etc.); and (4) VA Office of 
Information and Technology (OIT) staff and/or their approved 
contractors who may need to enter identifying, administrative 
information into the system to initiate, support and maintain 
electronic services for My HealtheVet participants.

CATEGORIES OF RECORDS IN THE SYSTEM:
    These records include the following information for My HealtheVet 
users: name, birth sex, date of birth, social security number, ZIP 
code, email profile, secure messaging email address, user 
identification, internal control number, reference number, date of 
account creation, account status, match status, date and time of match, 
correlation status, Master Person Index (MPI) authentication status, 
date of death from MPI, login date and time, deactivation date and 
time, deactivation description and status, place and date of 
registration, user block access and comments, and delegate user 
identification associated with My HealtheVet accounts.
    The My HealtheVet Staff (i.e., Coordinators and Providers) records 
include the following identification information: name, work telephone 
number, work email, VA network identification, job title, office and 
department, login date and time, web analytics for the purpose of 
monitoring site usage, My HealtheVet portal access termination date, 
role and role level, and user DUZ (number).

RECORD SOURCE CATEGORIES:
    Record sources include the individuals covered by this notice and 
an additional contributor, as listed below:
    (1) All individuals who successfully register for a My HealtheVet 
account;
    (2) Representatives of the above individuals who have been provided 
access to the private health space by the Veteran user, including but 
not limited to, POA, or VA, non-VA health care providers, and 
delegates;
    (3) VA health care providers and administrative staff;
    (4) VA OIT staff and/or their contractors and subcontractors, 
developers and testers who may need to enter information into the 
system to initiate, support and maintain My HealtheVet electronic 
services for My HealtheVet users;
    (5) Veterans Health Information Systems and Technology Architecture 
(VistA), MPI and other VA Information Technology systems.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    To the extent that records contained in the system include 
information protected by the HIPAA Privacy Rule and 38 U.S.C. 7332, 
that information cannot be disclosed under a routine use unless there 
is also specific statutory authority in both provisions.
    1. Contractors: To contractors, grantees, experts, consultants, 
students, and others performing or working on a contract, service, 
grant, cooperative agreement, or other assignment for VA, when 
reasonably necessary to accomplish an agency function related to the 
records.
    2. Law Enforcement: To a Federal, state, local, territorial, tribal 
or foreign law enforcement authority or other appropriate entity 
charged with the responsibility of investigating or prosecuting a 
violation or potential violation of law, whether civil, criminal, or 
regulatory in nature, or charged with enforcing or implementing such 
law, provided that the disclosure is limited to information that, 
either alone or in conjunction with other information, indicates such a 
violation. The disclosure of the names and addresses of Veterans and 
their dependents from VA records under this routine use must also 
comply with the provisions of 38 U.S.C. 5701.
    3. National Archives and Records Administration (NARA): To the NARA 
in records management inspections conducted under 44 U.S.C. 2904 and 
2906, or other functions authorized by laws and policies governing NARA 
operations and VA records management responsibilities.
    4. Department of Justice (DoJ), Litigation, Administrative 
Proceeding: To the DoJ, or in a proceeding before a court, adjudicative 
body, or other administrative body before which VA is authorized to 
appear, when:
    (a) VA or any component thereof;
    (b) Any VA employee in his or her official capacity;
    (c) Any VA employee in his or her individual capacity where DoJ has 
agreed to represent the employee; or
    (d) The United States, where VA determines that litigation is 
likely to affect the agency or any of its components is a party to such 
proceedings or has an interest in such proceedings, and VA determines 
that use of such records is relevant and necessary to the proceedings.
    5. Congress: To a Member of Congress or staff acting upon the 
Member's behalf when the Member or staff requests the information on 
behalf of, and at the request of, the individual who is the subject of 
the record.
    6. Federal Agencies, Fraud and Abuse: To other Federal agencies to 
assist such agencies in preventing and detecting possible fraud or 
abuse by individuals in their operations and programs.
    7. Data Breach Response and Remediation, for VA: To appropriate 
agencies, entities and persons when (a) VA suspects or has confirmed 
that there has been a breach of the system of records; (b) VA has 
determined that as a result of the suspected or confirmed breach there 
is a risk to individuals, VA (including its information systems, 
programs and operations), the Federal Government, or national security; 
and (3) the disclosure made to such agencies, entities or persons is 
reasonably necessary to assist in connection with VA efforts to respond 
to the suspected or confirmed breach or to prevent, minimize or remedy 
such harm.
    8. Researchers, for Research: To epidemiological and other research 
facilities approved by the Under Secretary for Health for research 
purposes determined to be necessary and proper, provided that the names 
and addresses of Veterans and their dependents will not be disclosed 
unless those names and addresses are first provided to VA by the 
facilities making the request.
    9. Federal Agencies, for Research: To a Federal agency for the 
purpose of conducting research and data analysis to

[[Page 13809]]

perform a statutory purpose of that Federal agency upon the prior 
written request of that agency.
    10. Data Breach Response and Remediation, for Another Federal 
Agency: To another Federal agency or Federal entity, when VA determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (a) responding to a suspected 
or confirmed breach or (b) preventing, minimizing or remedying the risk 
of harm to individuals, the recipient agency or entity (including its 
information systems, programs and operations), the Federal Government, 
or national security, resulting from a suspected or confirmed breach.
    11. Family Member: VHA may disclose a My HealtheVet account user's 
information to a family member or friend after receiving the verbal 
permission of the My HealtheVet account user.
    12. Unions, for Representation: To officials of labor organizations 
recognized under 5 U.S.C. Chapter 71 provided that the disclosure is 
limited to information identified in 5 U.S.C. 7114(b)(4) that is 
relevant and necessary to their duties of exclusive representation 
concerning personnel policies, practices and matters affecting working 
conditions.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are maintained on paper and electronic media, including 
hard drive disks, which are backed up to tape at regular intervals.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records may be retrieved by an individual's name, user 
identification, date of registration for My HealtheVet electronic 
services, ZIP code, electronic data interchange personal identifier, 
the VA assigned Integration Control Number (ICN), date of birth and/or 
Social Security Number, if provided.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records in this system are retained and disposed of in accordance 
with the schedule approved by the Archivist of the United States, 
General Records Schedule 3.2 Item 031.

ADMINISTRATIVE, TECHNICAL AND PHYSICAL SAFEGUARDS:
    1. Access to and use of the My HealtheVet Administrative Records 
are limited to those persons whose official duties require such access. 
VA has established security controls and procedures to ensure that 
access is appropriately limited. Information System Security Officers 
and system data stewards review and authorize data access requests. VA 
regulates data access with security software that authenticates My 
HealtheVet administrative users and requires individually unique codes 
and passwords. VA provides Information Security training to all staff 
and instructs staff on the responsibility each person has for 
safeguarding data confidentiality. VA regularly updates security 
standards and procedures that are applied to systems and individuals 
supporting this program.
    2. Physical access to computer rooms housing the My HealtheVet 
Administrative Records is restricted to authorized staff and protected 
by a variety of security devices. The Federal Protective Service or 
other security personnel provide physical security for the buildings 
housing computer systems and data centers.
    3. Data transmissions between operational systems and My HealtheVet 
Administrative Records maintained by this system of records are 
protected by telecommunications security software and hardware as 
prescribed by Federal security and privacy laws as well as VA standards 
and practices. This includes firewalls, encryption and other security 
measures necessary to safeguard data as it travels across the VA Wide 
Area Network.
    4. Copies of back-up computer files are maintained at secure off-
site locations.
    5. VA Enterprise Cloud data storage conforms to security protocols 
as stipulated in VA Directives 6500 and 6517. Access control standards 
are stipulated in specific agreements with cloud vendors to restrict 
and monitor access.

RECORD ACCESS PROCEDURES:
    Individuals seeking information on the existence and content of 
records in this system pertaining to them should contact the system 
manager in writing as indicated above or write or visit the VA facility 
location where they normally receive their care. A request for access 
to records must contain the requester's full name, address, telephone 
number, be signed by the requester, and describe the records sought in 
sufficient detail to enable VA personnel to locate them with a 
reasonable amount of effort.

CONTESTING RECORD PROCEDURES:
    Individuals seeking to contest or amend records in this system 
pertaining to them should contact the system manager in writing as 
indicated above or inquire in person at the VA health care facility 
they normally receive their care. A request to contest or amend records 
must state clearly and concisely what record is being contested, the 
reasons for contesting it, and the proposed amendment to the record.

NOTIFICATION PROCEDURES:
    Generalized notice is provided by the publication of this notice. 
For specific notice, see Record Access Procedure, above.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    75 FR 70365 (November 17, 2010); 81 FR 58005 (August 24, 2016).

[FR Doc. 2024-03715 Filed 2-22-24; 8:45 am]
BILLING CODE 8320-01-P