[Federal Register Volume 64, Number 50 (Tuesday, March 16, 1999)]
[Notices]
[Pages 13049-13052]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-6304]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; Amendment of System of Records Notice 
``Means Test Verification Records--VA''

AGENCY: Department of Veterans Affairs.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The Department of Veterans Affairs (VA) is amending and 
renaming the system of records currently known as ``Means Test 
Verification Records--VA (89VA161)'' as set forth in the Federal 
Register 59FR8677 (2/23/94). VA is amending the system by revising the 
System Name and Number and the paragraphs for System Location; 
Categories of Individuals Covered by the System; Categories of Records 
in the System; Authority for Maintenance of the System; and Policies 
and Practices for Storing, Retrieving, Accessing, Retaining, and 
Disposing of Records in the System, including Storage, Retrievability 
and Safeguards. VA is republishing the system notice in its entirety at 
this time.

DATES: These amendments are effective on March 16, 1999.

FOR FURTHER INFORMATION CONTACT: Alan Begbie, Director, Health 
Eligibility Center (HEC), Veterans Health Administration, 1644 Tullie 
Circle, Atlanta, Georgia 30329, (404) 235-1300.

SUPPLEMENTARY INFORMATION: The name and number of the system is changed 
from ``Means Test Verification Records'' VA(89VA161) to ``Healthcare 
Eligibility Records'' VA(89VA19) to more accurately reflect the type of 
records maintained in this system and to reflect recent organizational 
changes.
    The system location has been amended to reflect that the Income 
Verification Match Center (IVMC) has been renamed the Health 
Eligibility Center (HEC) and to indicate the current address of the 
HEC.
    The individuals covered by this system have been increased to 
include all veterans who have applied for VA healthcare services under 
Title 38, United States Code, Chapter 17, and in certain cases, members 
of their immediate families. Under the previous notice only data on 
nonservice-connected veterans was collected.
    The VHA HEC in Atlanta, Georgia, was originally established as the 
IVMC to verify the self-reported income of certain veterans with 
Internal Revenue Service (IRS) and Social Security Administration (SSA) 
information to determine the veteran's correct eligibility for VA 
healthcare benefits, as mandated by section 8051, Pub. L. 101-508. 
Section 8014 of Pub. L. 105-33 extended VA's matching authority through 
September 30, 2002.
    Title 38, United States Code, Section 1705, requires VA to design, 
establish and operate a system of annual patient enrollment. As a 
matter of policy, VHA has determined that the HEC database will be 
expanded to serve as the central repository for eligibility and 
enrollment data of veterans applying for or receiving VA healthcare 
benefits. Veterans' enrollment information such as beginning and ending 
dates of the enrollment period, enrollment status and primary 
healthcare facility, will be maintained in this database and provided 
to VA healthcare facilities involved in the veteran's care. This 
increases the types of records and individuals covered under the 
system.
    To carry out the HEC programs, the Center receives electronic 
transmissions from VA healthcare facilities via the Department's 
electronic communications system (wide area network). These 
transmissions include personal, income and eligibility information, 
such as name, social security number, address, health insurance 
coverage, and other information concerning the veteran's self-reported 
household income and eligibility status. In certain cases, these 
transmissions include limited immediate family information provided by 
the veteran.
    Compensation and pension award adjustment information contained in 
claim records administered by the Veterans Benefit Administration (VBA) 
is also sent to the HEC database, ensuring consistency of eligibility 
information contained in records covered by this system.
    The HEC automatically sends this information over VA's wide area 
network to VA medical facilities where the veteran received care within 
the previous 12 month period. VA medical facilities can query the HEC 
database to obtain information on veteran applicants who have not 
received healthcare at that facility during the previous 12 month time 
frame. If available, updated information is transmitted to the 
requesting facility and loaded into the facility's database. Access to 
data in these files is controlled at the healthcare facility in 
accordance with nationally and locally-established data security 
procedures. These standards include, but are not limited to, requiring 
a unique password for each user, restricting access to ``need-to-know'' 
data, and deactivating screen displays after short periods of 
inactivity.
    The HEC submits record identifiers (name, social security number, 
date of birth, and sex) to SSA for social security number validation. 
The validated social security number assists in matching a veteran's 
record maintained at one VA healthcare facility with records maintained 
at another. For certain veterans whose eligibility for VA healthcare is 
based on income, the validated social security number is also

[[Page 13050]]

used to match VA records with SSA and IRS for income verification 
purposes. For these veterans, the HEC database contains earned and 
unearned income data received from IRS and SSA.
    The purpose of this system of records is to conduct income testing 
and verification activities; to validate social security numbers of 
veterans receiving VA healthcare benefits; to identify veterans' third 
party health insurance coverage; to ensure accuracy of veterans' 
eligibility information for medical care benefits; and to operate an 
annual patient enrollment system.

    Approved: February 27, 1999.
Togo D. West, Jr.,
Secretary of Veterans Affairs.
89VA19
    Healthcare Eligibility Records--VA.

SYSTEM LOCATION:
    All paper and electronic records are maintained at the Health 
Eligibility Center (HEC), 1644 Tullie Circle, Atlanta, Georgia 30329 
and at VA healthcare facilities listed in the biennial publication of 
the VA's Systems of Records, Appendix A.

CATEGORIES OF INDIVIDUALS COVERED BY THIS SYSTEM:
    Veterans who have applied for VA healthcare services under Title 
38, United States Code, Chapter 17, and in certain cases, members of 
their immediate families.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Medical benefit application and eligibility information; 
identifying information including name, address, date of birth, social 
security number, claim number, eligibility information, family 
information including spouse and dependent(s) name, address, and social 
security number; employment information on veteran and spouse, 
including occupation, employer(s) name(s) and address(es); financial 
information concerning the veteran and the veteran's spouse including 
family income, assets, expenses, debts; third party health plan 
contract information, including health insurance carrier name and 
address, policy number and time period covered by policy; facility 
location(s) where treatment is provided; type of treatment provided, 
i.e., inpatient or outpatient; and dates of visits. Documents generated 
as a result of income verification by computer match with records from 
the IRS and the SSA and during the notification, verification and due 
process periods, such as initial verification letters, income 
verification forms, final confirmation letters, due process letters, 
clarification letters and subpoena documentation. Individual 
correspondence provided to the HEC by veterans or family members 
including, but not limited to, copies of death certificates; DD 214, 
Notice of Separation; disability award letters; IRS documents (i.e., 
Form 1040's, W-2's, etc.); state welfare and food stamp applications; 
VA and other pension applications; VA Forms 10-10, Application for 
Medical Benefits, and 10-10F, Financial Worksheet; workers compensation 
forms; and various annual earnings statements, as well as pay stubs.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 38, United States Code, sections 501(a), 1705, 1722, and 
5317.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    Income information that is received from IRS and SSA is protected 
by 26 U.S.C. 6103, and may not be disclosed under routine uses set 
forth absent specific authorization from the IRS or the VA Office of 
General Counsel (024).
    1. The record of an individual who is covered by this system may be 
disclosed to a Member of Congress or staff person acting for the member 
when the member or staff person requests the record on behalf of, and 
at the written request of, that individual.
    2. Disclosure of records covered by this system, as deemed 
necessary and proper to named individuals serving as accredited service 
organization representatives and other individuals named as approved 
agents or attorneys for a documented purpose and period of time, to aid 
beneficiaries in the preparation and presentation of their cases during 
the verification and/or due process procedures and in the presentation 
and prosecution of claims under laws administered by the Department of 
Veterans Affairs.
    3. In the event that information in this system of records 
maintained by this agency to carry out its functions indicates a 
violation or potential violation of law, whether civil, criminal or 
regulatory in nature, and whether arising by general statute or a 
particular program statute, or by regulation, rule or order issued 
pursuant thereto, the relevant records may be referred, as a routine 
use, to the appropriate agency, whether Federal, State, local or 
foreign, charged with the responsibility of investigating or 
prosecuting such violation or charged with enforcing or implementing 
the statute, rule, regulation, or order issued pursuant thereto.
    4. Relevant information from this system of records may be 
disclosed as a routine use in the course of presenting evidence to a 
court, magistrate or administrative tribunal in matters of 
guardianship, inquests and commitments; to private attorneys 
representing veterans rated incompetent in conjunction with issuance of 
Certificates of Incompetency; and to probation and parole officers in 
connection with Court required duties.
    5. Any information in this system may be disclosed to a VA Federal 
fiduciary or a guardian ad litem in relation to his or her 
representation of a veteran but only to the extent necessary to fulfill 
the duties of the VA Federal fiduciary or the guardian ad litem.
    6. Relevant information may be disclosed to attorneys, insurance 
companies, employers, third parties, liable or potentially liable under 
health plan contracts to the Department of Veterans Affairs, and to 
courts, boards, or commissions. Such disclosures may be made only to 
the extent necessary to aid the Department of Veterans Affairs in the 
preparation, presentation, and prosecution of claims authorized under 
Federal, State, or local laws, and regulations promulgated thereunder.
    7. Relevant information may be disclosed to the Department of 
Justice and United States Attorneys in defense or prosecution of 
litigation involving the United States, and to Federal agencies upon 
their request in connection with review of administrative tort claims 
filed under the Federal Tort Claims Act, 28 U.S.C. 2672.
    8. Disclosure may be made to the National Archives and Records 
Administration (NARA), and the General Services Administration (GSA) in 
records management inspections conducted under authority of 44 U.S.C. 
2904 and 2906.
    9. Information in this system of records may be disclosed for the 
purposes identified below to a third party, except consumer reporting 
agencies, in connection with any proceeding for the collection of an 
amount owed to the United States by virtue of a person's participation 
in any benefit program administered by the Department of Veterans 
Affairs. Information may be disclosed under this routine use only to 
the extent that it is reasonably necessary to: (a) Assist the VA in the 
collection of costs of services provided individuals not entitled to 
such services; and (b) initiate civil or criminal legal actions for 
collecting amounts owed to the United States. This disclosure is 
consistent with 38 U.S.C. 5701(b)(6).

[[Page 13051]]

    10. The name and address of a veteran, other information as is 
reasonably necessary to identify such veteran, including personal 
information obtained from other Federal agencies through computer 
matching programs and any information concerning the veteran's 
indebtedness to the United States by virtue of the person's 
participation in a benefits program administered by the VA, may be 
disclosed to a consumer reporting agency for purposes of assisting in 
the collection of such indebtedness, provided that the provisions of 38 
U.S.C. 5701(g)(4) have been met.
    11. For computer matching program and ADP security review purposes, 
record information may be disclosed to teams from other source Federal 
agencies who are parties to computer matching agreements involving the 
information maintained in this system, but only to the extent that the 
information is necessary and relevant to the review.
    12. For veterans subject to income verification requirements, the 
name and identifying information on a veteran and/or spouse may be 
provided to reported payers of earned and/or unearned income in order 
to verify the identifier provided, address, income paid, period of 
employment, and health insurance information provided on the means test 
and to confirm income and demographic data provided by other Federal 
agencies during income verification computer matching.
    13. Identifying information, including social security numbers, 
concerning veterans, their spouses, and the dependents of veterans may 
be disclosed to other Federal agencies for purposes of conducting 
computer matches to obtain valid identifying demographic and income 
information to determine or verify eligibility of certain veterans who 
are receiving VA medical care under Title 38, U.S.C.
    14. The name and social security number of a veteran, spouse and 
dependents, and other identifying information as is reasonably 
necessary may be disclosed to SSA, Department of Health and Human 
Services, for the purpose of conducting a computer match to obtain 
information to validate the social security numbers maintained in VA 
records.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING 
AND DISPOSING OF RECORDS IN THE SYSTEM:

STORAGE:
    All records are maintained at the HEC, 1644 Tullie Circle, Atlanta, 
Georgia 30329. Paper correspondence received from the veteran in 
response to HEC inquiries may be scanned and stored for viewing 
electronically.

RETRIEVABILITY:
    Records (or information contained in records) maintained on paper 
documents are indexed by the veteran's name and social security number 
and are filed in case number order. Automated veterans' health 
eligibility records are indexed and retrieved by the veteran's name, 
social security number or case number. Automated health eligibility 
record information on spouses may be retrieved by the spouse's name or 
social security number.

SAFEGUARDS:
    1. Data transmissions between VA healthcare facilities and the HEC 
and VA databases housed at VA's Austin Automation Center are 
accomplished using the Department's wide area network. The software 
programs at the respective facilities automatically flag records or 
events for transmission based upon functionality requirements. VA 
healthcare facilities and the HEC control access to data by using VHA's 
Veterans Health Information System and Technology Architecture (VISTA), 
(formerly known as Decentralized Hospital Computer Program (DHCP) 
software modules), specifically Kernel and MailMan. Kernel utility 
programs provide the interface between operating systems, application 
packages and users. Once data are identified for transmission, records 
are stored in electronic mail messages which are then transmitted to 
specific domains on the Department's wide area network which currently 
uses the Integrated Data Communications Utility (IDCU), a vendor-
provided set of communications utilities and hardware. The data are 
stored in the electronic mail message using Health Level Seven (HL7) 
protocol. HL7 is a standard protocol which specifies the implementation 
of interfaces between two computer applications (sender and receiver) 
from different vendors for electronic data exchange in healthcare 
environments. Based on predetermined functional specifications, HL7 
defines the data to be exchanged, the timing of the interchange, and 
the communication of errors when necessary. Server jobs at each agency 
run continuously to check for data to be transmitted and/or incoming 
data which needs to be parsed to files on the receiving end. All mail 
messages containing data transmissions include header information which 
is used for validation purposes. Consistency checks in the software are 
used to validate the transmission, and electronic acknowledgment 
messages are returned to the sending application. The Department's 
Telecommunications Support Service has oversight responsibility for 
planning, security, and management of the IDCU network.
    2. Working spaces and record storage areas at the HEC are secured 
during all business hours, as well as during non-business hours. All 
entrance doors require an electronic passcard for entry when unlocked, 
and entry doors are locked outside normal business hours. Electronic 
passcards are issued by the HEC Security Officer. Visitor entry is 
controlled by HEC staff by door release or escort. The building is 
equipped with an intrusion alarm system for non-business hours, and 
this system is monitored by a security service vendor. The office space 
occupied by employees with access to veteran records is secured with an 
electronic locking system which requires a card for entry and exit of 
that office space.
    3. Strict control measures are enforced to ensure that access to 
and disclosure from all records including electronic files and veteran 
specific data elements stored in the HEC veteran database are limited 
to HEC employees whose official duties warrant access to those files. 
The automated record system recognizes authorized users by keyboard 
entry of a series of unique passwords. Once the employee is logged onto 
the system, access to files is controlled by discreet menus which are 
assigned by the HEC computer system administration staff upon request 
from the employee's supervisor and the employee's demonstrated need to 
access the data to perform the employee's assigned duties. A number of 
other security measures are implemented to enhance security of 
electronic records (automatic timeout after short period of inactivity, 
device locking after pre-set number of invalid logon attempts, etc.). 
Employees are required to sign a user access agreement acknowledging 
their knowledge of confidentiality requirements, and all employees 
receive annual training on information security. Access is deactivated 
when no longer required for official duties. Recurring monitors are in 
place to ensure compliance with nationally- and locally-established 
security measures.
    4. Veteran data are transmitted from the HEC to VA healthcare 
facilities over the Department's computerized electronic communications 
system (currently the Integrated Data Communications Utility or IDCU). 
Access to data in these files is controlled at the healthcare facility 
level in accordance with nationally-and locally-established data 
security

[[Page 13052]]

procedures. VA employees at healthcare facilities are granted access to 
patient data on a ``need-to-know'' basis. All employees receive 
information security training and are issued unique access and verify 
codes. Employees are assigned computer menus that allow them to view 
and edit records as authorized by the supervisor. While employees at 
the healthcare facility may edit data which was initially input at the 
facility level, employees at the facility do not have edit access to 
income tests which originated at the HEC. Likewise, HEC employees have 
view-only access to the income tests that originated at the healthcare 
facility.
    5. In addition to passcards, the HEC computer room requires manual 
entry of a security code prior to entry. Only the automated information 
systems (AIS) staff and the HEC security officer are issued the 
security code to this area.
    Programmer access to the HEC database is restricted only to those 
AIS staff whose official duties require that level of access.
    6. On-line data reside on magnetic media in the HEC Computer Room 
that is highly secured. Backup media are stored in a combination lock 
safe in a secured room within the same building; only information 
system staff has access to the safe. On a weekly basis, backup media 
are stored in off-site storage by a media storage vendor. The vendor 
picks up and returns the media in a locked storage container; vendor 
personnel do not have key access to the locked container.
    7. Any sensitive information that may be downloaded to personal 
computer files in the HEC or printed to hard copy format is provided 
the same level of security as the electronic records. All paper 
documents and informal notations containing sensitive data are shredded 
prior to disposal. All magnetic media (primary computer system) and 
personal computer disks are degaussed prior to disposal or release off 
site for repair.
    8. The Income Verification Match Program of the HEC requires that 
HEC obtain veteran and spouse earned and unearned income data from IRS 
and SSA. The HEC complies fully with the Tax Information Security 
Guidelines for Federal, State and Local Agencies (Department of 
Treasury IRS Publication 1075) as it relates to access and protection 
of such data. These guidelines define the management of magnetic media, 
paper and electronic records, and physical and electronic security of 
the data.
    9. All new HEC employees receive initial information security 
training, and refresher training is provided to all employees on an 
annual basis. An annual information security audit is performed by the 
VA Regional Information Security Officer. This annual audit includes 
the primary computer information system, the telecommunication system, 
and local area networks. Additionally, the IRS performs periodic on-
site inspections to ensure the appropriate level of security is 
maintained for Federal tax data. The HEC Information Security Officer 
and AIS administrator additionally perform periodic reviews to ensure 
security of the system and databases.
    10. Identification codes and codes used to access HEC automated 
communications systems and records systems, as well as security 
profiles and possible security violations, are maintained on magnetic 
media in a secure environment at the Center. For contingency purposes, 
database backups on removable magnetic media are stored off-site by a 
licensed and bonded media storage vendor.

RETENTION AND DISPOSAL:
    Depending on the record medium, records are destroyed by either 
shredding or degaussing. Paper records are destroyed after they have 
been accurately scanned on optical disks. Optical disks or other 
electronic medium are deleted when all phases of the veteran's appeal 
rights have ended (ten years after the income year for which the means 
test verification was conducted). Tapes received from SSA and IRS are 
destroyed 30 days after the data have been validated as being a true 
copy of the original data. Summary reports and other output reports are 
destroyed when no longer needed for current operation. Regardless of 
record medium, no records will be retired to a Federal records center.

SYSTEM MANAGER(S) AND ADDRESS
    Official responsible for policies and procedures: Chief Information 
Officer (19), VA Central Office, 810 Vermont Avenue, NW, Washington, DC 
20420. Official maintaining the system: Director, Health Eligibility 
Center, 1644 Tullie Circle, Atlanta, Georgia 30329.

NOTIFICATION PROCEDURE:
    An individual who wishes to determine whether a record is being 
maintained in this system under his or her name or other personal 
identifier or wants to determine the contents of such record, should 
submit a written request or apply in person to the HEC. All inquiries 
must reasonably identify the records requested. Inquiries should 
include the individual's full name, social security number and return 
address.

RECORD ACCESS PROCEDURES:
    Individuals seeking information regarding access to and contesting 
of HEC records may write to the Director, Health Eligibility Center, 
1644 Tullie Circle, Atlanta, Georgia 30329.

CONTESTING RECORD PROCEDURES:
    (See Record Access Procedures above.)

RECORD SOURCE CATEGORIES:
    Information in this system of records may be provided by the 
veteran; veteran's spouse or other family members or accredited 
representatives or friends; employers and other payers of earned 
income; financial institutions and other payers of unearned income; 
health insurance carriers; other Federal agencies; ``Patient Medical 
Records--VA'' (24VA136) system of records; Veterans Benefits 
Administration automated record systems (including Veterans and 
Beneficiaries Identification and Records Location Subsystem--VA 
(38VA23); and the ``Compensation, Pension, Education and Rehabilitation 
Records--VA'' (58VA21/22).

[FR Doc. 99-6304 Filed 3-15-99; 8:45 am]
BILLING CODE 8320-01-P