[Federal Register Volume 64, Number 50 (Tuesday, March 16, 1999)]
[Notices]
[Pages 13049-13052]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-6304]
-----------------------------------------------------------------------
DEPARTMENT OF VETERANS AFFAIRS
Privacy Act of 1974; Amendment of System of Records Notice
``Means Test Verification Records--VA''
AGENCY: Department of Veterans Affairs.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: The Department of Veterans Affairs (VA) is amending and
renaming the system of records currently known as ``Means Test
Verification Records--VA (89VA161)'' as set forth in the Federal
Register 59FR8677 (2/23/94). VA is amending the system by revising the
System Name and Number and the paragraphs for System Location;
Categories of Individuals Covered by the System; Categories of Records
in the System; Authority for Maintenance of the System; and Policies
and Practices for Storing, Retrieving, Accessing, Retaining, and
Disposing of Records in the System, including Storage, Retrievability
and Safeguards. VA is republishing the system notice in its entirety at
this time.
DATES: These amendments are effective on March 16, 1999.
FOR FURTHER INFORMATION CONTACT: Alan Begbie, Director, Health
Eligibility Center (HEC), Veterans Health Administration, 1644 Tullie
Circle, Atlanta, Georgia 30329, (404) 235-1300.
SUPPLEMENTARY INFORMATION: The name and number of the system is changed
from ``Means Test Verification Records'' VA(89VA161) to ``Healthcare
Eligibility Records'' VA(89VA19) to more accurately reflect the type of
records maintained in this system and to reflect recent organizational
changes.
The system location has been amended to reflect that the Income
Verification Match Center (IVMC) has been renamed the Health
Eligibility Center (HEC) and to indicate the current address of the
HEC.
The individuals covered by this system have been increased to
include all veterans who have applied for VA healthcare services under
Title 38, United States Code, Chapter 17, and in certain cases, members
of their immediate families. Under the previous notice only data on
nonservice-connected veterans was collected.
The VHA HEC in Atlanta, Georgia, was originally established as the
IVMC to verify the self-reported income of certain veterans with
Internal Revenue Service (IRS) and Social Security Administration (SSA)
information to determine the veteran's correct eligibility for VA
healthcare benefits, as mandated by section 8051, Pub. L. 101-508.
Section 8014 of Pub. L. 105-33 extended VA's matching authority through
September 30, 2002.
Title 38, United States Code, Section 1705, requires VA to design,
establish and operate a system of annual patient enrollment. As a
matter of policy, VHA has determined that the HEC database will be
expanded to serve as the central repository for eligibility and
enrollment data of veterans applying for or receiving VA healthcare
benefits. Veterans' enrollment information such as beginning and ending
dates of the enrollment period, enrollment status and primary
healthcare facility, will be maintained in this database and provided
to VA healthcare facilities involved in the veteran's care. This
increases the types of records and individuals covered under the
system.
To carry out the HEC programs, the Center receives electronic
transmissions from VA healthcare facilities via the Department's
electronic communications system (wide area network). These
transmissions include personal, income and eligibility information,
such as name, social security number, address, health insurance
coverage, and other information concerning the veteran's self-reported
household income and eligibility status. In certain cases, these
transmissions include limited immediate family information provided by
the veteran.
Compensation and pension award adjustment information contained in
claim records administered by the Veterans Benefit Administration (VBA)
is also sent to the HEC database, ensuring consistency of eligibility
information contained in records covered by this system.
The HEC automatically sends this information over VA's wide area
network to VA medical facilities where the veteran received care within
the previous 12 month period. VA medical facilities can query the HEC
database to obtain information on veteran applicants who have not
received healthcare at that facility during the previous 12 month time
frame. If available, updated information is transmitted to the
requesting facility and loaded into the facility's database. Access to
data in these files is controlled at the healthcare facility in
accordance with nationally and locally-established data security
procedures. These standards include, but are not limited to, requiring
a unique password for each user, restricting access to ``need-to-know''
data, and deactivating screen displays after short periods of
inactivity.
The HEC submits record identifiers (name, social security number,
date of birth, and sex) to SSA for social security number validation.
The validated social security number assists in matching a veteran's
record maintained at one VA healthcare facility with records maintained
at another. For certain veterans whose eligibility for VA healthcare is
based on income, the validated social security number is also
[[Page 13050]]
used to match VA records with SSA and IRS for income verification
purposes. For these veterans, the HEC database contains earned and
unearned income data received from IRS and SSA.
The purpose of this system of records is to conduct income testing
and verification activities; to validate social security numbers of
veterans receiving VA healthcare benefits; to identify veterans' third
party health insurance coverage; to ensure accuracy of veterans'
eligibility information for medical care benefits; and to operate an
annual patient enrollment system.
Approved: February 27, 1999.
Togo D. West, Jr.,
Secretary of Veterans Affairs.
89VA19
Healthcare Eligibility Records--VA.
SYSTEM LOCATION:
All paper and electronic records are maintained at the Health
Eligibility Center (HEC), 1644 Tullie Circle, Atlanta, Georgia 30329
and at VA healthcare facilities listed in the biennial publication of
the VA's Systems of Records, Appendix A.
CATEGORIES OF INDIVIDUALS COVERED BY THIS SYSTEM:
Veterans who have applied for VA healthcare services under Title
38, United States Code, Chapter 17, and in certain cases, members of
their immediate families.
CATEGORIES OF RECORDS IN THE SYSTEM:
Medical benefit application and eligibility information;
identifying information including name, address, date of birth, social
security number, claim number, eligibility information, family
information including spouse and dependent(s) name, address, and social
security number; employment information on veteran and spouse,
including occupation, employer(s) name(s) and address(es); financial
information concerning the veteran and the veteran's spouse including
family income, assets, expenses, debts; third party health plan
contract information, including health insurance carrier name and
address, policy number and time period covered by policy; facility
location(s) where treatment is provided; type of treatment provided,
i.e., inpatient or outpatient; and dates of visits. Documents generated
as a result of income verification by computer match with records from
the IRS and the SSA and during the notification, verification and due
process periods, such as initial verification letters, income
verification forms, final confirmation letters, due process letters,
clarification letters and subpoena documentation. Individual
correspondence provided to the HEC by veterans or family members
including, but not limited to, copies of death certificates; DD 214,
Notice of Separation; disability award letters; IRS documents (i.e.,
Form 1040's, W-2's, etc.); state welfare and food stamp applications;
VA and other pension applications; VA Forms 10-10, Application for
Medical Benefits, and 10-10F, Financial Worksheet; workers compensation
forms; and various annual earnings statements, as well as pay stubs.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Title 38, United States Code, sections 501(a), 1705, 1722, and
5317.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND THE PURPOSES OF SUCH USES:
Income information that is received from IRS and SSA is protected
by 26 U.S.C. 6103, and may not be disclosed under routine uses set
forth absent specific authorization from the IRS or the VA Office of
General Counsel (024).
1. The record of an individual who is covered by this system may be
disclosed to a Member of Congress or staff person acting for the member
when the member or staff person requests the record on behalf of, and
at the written request of, that individual.
2. Disclosure of records covered by this system, as deemed
necessary and proper to named individuals serving as accredited service
organization representatives and other individuals named as approved
agents or attorneys for a documented purpose and period of time, to aid
beneficiaries in the preparation and presentation of their cases during
the verification and/or due process procedures and in the presentation
and prosecution of claims under laws administered by the Department of
Veterans Affairs.
3. In the event that information in this system of records
maintained by this agency to carry out its functions indicates a
violation or potential violation of law, whether civil, criminal or
regulatory in nature, and whether arising by general statute or a
particular program statute, or by regulation, rule or order issued
pursuant thereto, the relevant records may be referred, as a routine
use, to the appropriate agency, whether Federal, State, local or
foreign, charged with the responsibility of investigating or
prosecuting such violation or charged with enforcing or implementing
the statute, rule, regulation, or order issued pursuant thereto.
4. Relevant information from this system of records may be
disclosed as a routine use in the course of presenting evidence to a
court, magistrate or administrative tribunal in matters of
guardianship, inquests and commitments; to private attorneys
representing veterans rated incompetent in conjunction with issuance of
Certificates of Incompetency; and to probation and parole officers in
connection with Court required duties.
5. Any information in this system may be disclosed to a VA Federal
fiduciary or a guardian ad litem in relation to his or her
representation of a veteran but only to the extent necessary to fulfill
the duties of the VA Federal fiduciary or the guardian ad litem.
6. Relevant information may be disclosed to attorneys, insurance
companies, employers, third parties, liable or potentially liable under
health plan contracts to the Department of Veterans Affairs, and to
courts, boards, or commissions. Such disclosures may be made only to
the extent necessary to aid the Department of Veterans Affairs in the
preparation, presentation, and prosecution of claims authorized under
Federal, State, or local laws, and regulations promulgated thereunder.
7. Relevant information may be disclosed to the Department of
Justice and United States Attorneys in defense or prosecution of
litigation involving the United States, and to Federal agencies upon
their request in connection with review of administrative tort claims
filed under the Federal Tort Claims Act, 28 U.S.C. 2672.
8. Disclosure may be made to the National Archives and Records
Administration (NARA), and the General Services Administration (GSA) in
records management inspections conducted under authority of 44 U.S.C.
2904 and 2906.
9. Information in this system of records may be disclosed for the
purposes identified below to a third party, except consumer reporting
agencies, in connection with any proceeding for the collection of an
amount owed to the United States by virtue of a person's participation
in any benefit program administered by the Department of Veterans
Affairs. Information may be disclosed under this routine use only to
the extent that it is reasonably necessary to: (a) Assist the VA in the
collection of costs of services provided individuals not entitled to
such services; and (b) initiate civil or criminal legal actions for
collecting amounts owed to the United States. This disclosure is
consistent with 38 U.S.C. 5701(b)(6).
[[Page 13051]]
10. The name and address of a veteran, other information as is
reasonably necessary to identify such veteran, including personal
information obtained from other Federal agencies through computer
matching programs and any information concerning the veteran's
indebtedness to the United States by virtue of the person's
participation in a benefits program administered by the VA, may be
disclosed to a consumer reporting agency for purposes of assisting in
the collection of such indebtedness, provided that the provisions of 38
U.S.C. 5701(g)(4) have been met.
11. For computer matching program and ADP security review purposes,
record information may be disclosed to teams from other source Federal
agencies who are parties to computer matching agreements involving the
information maintained in this system, but only to the extent that the
information is necessary and relevant to the review.
12. For veterans subject to income verification requirements, the
name and identifying information on a veteran and/or spouse may be
provided to reported payers of earned and/or unearned income in order
to verify the identifier provided, address, income paid, period of
employment, and health insurance information provided on the means test
and to confirm income and demographic data provided by other Federal
agencies during income verification computer matching.
13. Identifying information, including social security numbers,
concerning veterans, their spouses, and the dependents of veterans may
be disclosed to other Federal agencies for purposes of conducting
computer matches to obtain valid identifying demographic and income
information to determine or verify eligibility of certain veterans who
are receiving VA medical care under Title 38, U.S.C.
14. The name and social security number of a veteran, spouse and
dependents, and other identifying information as is reasonably
necessary may be disclosed to SSA, Department of Health and Human
Services, for the purpose of conducting a computer match to obtain
information to validate the social security numbers maintained in VA
records.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
All records are maintained at the HEC, 1644 Tullie Circle, Atlanta,
Georgia 30329. Paper correspondence received from the veteran in
response to HEC inquiries may be scanned and stored for viewing
electronically.
RETRIEVABILITY:
Records (or information contained in records) maintained on paper
documents are indexed by the veteran's name and social security number
and are filed in case number order. Automated veterans' health
eligibility records are indexed and retrieved by the veteran's name,
social security number or case number. Automated health eligibility
record information on spouses may be retrieved by the spouse's name or
social security number.
SAFEGUARDS:
1. Data transmissions between VA healthcare facilities and the HEC
and VA databases housed at VA's Austin Automation Center are
accomplished using the Department's wide area network. The software
programs at the respective facilities automatically flag records or
events for transmission based upon functionality requirements. VA
healthcare facilities and the HEC control access to data by using VHA's
Veterans Health Information System and Technology Architecture (VISTA),
(formerly known as Decentralized Hospital Computer Program (DHCP)
software modules), specifically Kernel and MailMan. Kernel utility
programs provide the interface between operating systems, application
packages and users. Once data are identified for transmission, records
are stored in electronic mail messages which are then transmitted to
specific domains on the Department's wide area network which currently
uses the Integrated Data Communications Utility (IDCU), a vendor-
provided set of communications utilities and hardware. The data are
stored in the electronic mail message using Health Level Seven (HL7)
protocol. HL7 is a standard protocol which specifies the implementation
of interfaces between two computer applications (sender and receiver)
from different vendors for electronic data exchange in healthcare
environments. Based on predetermined functional specifications, HL7
defines the data to be exchanged, the timing of the interchange, and
the communication of errors when necessary. Server jobs at each agency
run continuously to check for data to be transmitted and/or incoming
data which needs to be parsed to files on the receiving end. All mail
messages containing data transmissions include header information which
is used for validation purposes. Consistency checks in the software are
used to validate the transmission, and electronic acknowledgment
messages are returned to the sending application. The Department's
Telecommunications Support Service has oversight responsibility for
planning, security, and management of the IDCU network.
2. Working spaces and record storage areas at the HEC are secured
during all business hours, as well as during non-business hours. All
entrance doors require an electronic passcard for entry when unlocked,
and entry doors are locked outside normal business hours. Electronic
passcards are issued by the HEC Security Officer. Visitor entry is
controlled by HEC staff by door release or escort. The building is
equipped with an intrusion alarm system for non-business hours, and
this system is monitored by a security service vendor. The office space
occupied by employees with access to veteran records is secured with an
electronic locking system which requires a card for entry and exit of
that office space.
3. Strict control measures are enforced to ensure that access to
and disclosure from all records including electronic files and veteran
specific data elements stored in the HEC veteran database are limited
to HEC employees whose official duties warrant access to those files.
The automated record system recognizes authorized users by keyboard
entry of a series of unique passwords. Once the employee is logged onto
the system, access to files is controlled by discreet menus which are
assigned by the HEC computer system administration staff upon request
from the employee's supervisor and the employee's demonstrated need to
access the data to perform the employee's assigned duties. A number of
other security measures are implemented to enhance security of
electronic records (automatic timeout after short period of inactivity,
device locking after pre-set number of invalid logon attempts, etc.).
Employees are required to sign a user access agreement acknowledging
their knowledge of confidentiality requirements, and all employees
receive annual training on information security. Access is deactivated
when no longer required for official duties. Recurring monitors are in
place to ensure compliance with nationally- and locally-established
security measures.
4. Veteran data are transmitted from the HEC to VA healthcare
facilities over the Department's computerized electronic communications
system (currently the Integrated Data Communications Utility or IDCU).
Access to data in these files is controlled at the healthcare facility
level in accordance with nationally-and locally-established data
security
[[Page 13052]]
procedures. VA employees at healthcare facilities are granted access to
patient data on a ``need-to-know'' basis. All employees receive
information security training and are issued unique access and verify
codes. Employees are assigned computer menus that allow them to view
and edit records as authorized by the supervisor. While employees at
the healthcare facility may edit data which was initially input at the
facility level, employees at the facility do not have edit access to
income tests which originated at the HEC. Likewise, HEC employees have
view-only access to the income tests that originated at the healthcare
facility.
5. In addition to passcards, the HEC computer room requires manual
entry of a security code prior to entry. Only the automated information
systems (AIS) staff and the HEC security officer are issued the
security code to this area.
Programmer access to the HEC database is restricted only to those
AIS staff whose official duties require that level of access.
6. On-line data reside on magnetic media in the HEC Computer Room
that is highly secured. Backup media are stored in a combination lock
safe in a secured room within the same building; only information
system staff has access to the safe. On a weekly basis, backup media
are stored in off-site storage by a media storage vendor. The vendor
picks up and returns the media in a locked storage container; vendor
personnel do not have key access to the locked container.
7. Any sensitive information that may be downloaded to personal
computer files in the HEC or printed to hard copy format is provided
the same level of security as the electronic records. All paper
documents and informal notations containing sensitive data are shredded
prior to disposal. All magnetic media (primary computer system) and
personal computer disks are degaussed prior to disposal or release off
site for repair.
8. The Income Verification Match Program of the HEC requires that
HEC obtain veteran and spouse earned and unearned income data from IRS
and SSA. The HEC complies fully with the Tax Information Security
Guidelines for Federal, State and Local Agencies (Department of
Treasury IRS Publication 1075) as it relates to access and protection
of such data. These guidelines define the management of magnetic media,
paper and electronic records, and physical and electronic security of
the data.
9. All new HEC employees receive initial information security
training, and refresher training is provided to all employees on an
annual basis. An annual information security audit is performed by the
VA Regional Information Security Officer. This annual audit includes
the primary computer information system, the telecommunication system,
and local area networks. Additionally, the IRS performs periodic on-
site inspections to ensure the appropriate level of security is
maintained for Federal tax data. The HEC Information Security Officer
and AIS administrator additionally perform periodic reviews to ensure
security of the system and databases.
10. Identification codes and codes used to access HEC automated
communications systems and records systems, as well as security
profiles and possible security violations, are maintained on magnetic
media in a secure environment at the Center. For contingency purposes,
database backups on removable magnetic media are stored off-site by a
licensed and bonded media storage vendor.
RETENTION AND DISPOSAL:
Depending on the record medium, records are destroyed by either
shredding or degaussing. Paper records are destroyed after they have
been accurately scanned on optical disks. Optical disks or other
electronic medium are deleted when all phases of the veteran's appeal
rights have ended (ten years after the income year for which the means
test verification was conducted). Tapes received from SSA and IRS are
destroyed 30 days after the data have been validated as being a true
copy of the original data. Summary reports and other output reports are
destroyed when no longer needed for current operation. Regardless of
record medium, no records will be retired to a Federal records center.
SYSTEM MANAGER(S) AND ADDRESS
Official responsible for policies and procedures: Chief Information
Officer (19), VA Central Office, 810 Vermont Avenue, NW, Washington, DC
20420. Official maintaining the system: Director, Health Eligibility
Center, 1644 Tullie Circle, Atlanta, Georgia 30329.
NOTIFICATION PROCEDURE:
An individual who wishes to determine whether a record is being
maintained in this system under his or her name or other personal
identifier or wants to determine the contents of such record, should
submit a written request or apply in person to the HEC. All inquiries
must reasonably identify the records requested. Inquiries should
include the individual's full name, social security number and return
address.
RECORD ACCESS PROCEDURES:
Individuals seeking information regarding access to and contesting
of HEC records may write to the Director, Health Eligibility Center,
1644 Tullie Circle, Atlanta, Georgia 30329.
CONTESTING RECORD PROCEDURES:
(See Record Access Procedures above.)
RECORD SOURCE CATEGORIES:
Information in this system of records may be provided by the
veteran; veteran's spouse or other family members or accredited
representatives or friends; employers and other payers of earned
income; financial institutions and other payers of unearned income;
health insurance carriers; other Federal agencies; ``Patient Medical
Records--VA'' (24VA136) system of records; Veterans Benefits
Administration automated record systems (including Veterans and
Beneficiaries Identification and Records Location Subsystem--VA
(38VA23); and the ``Compensation, Pension, Education and Rehabilitation
Records--VA'' (58VA21/22).
[FR Doc. 99-6304 Filed 3-15-99; 8:45 am]
BILLING CODE 8320-01-P