[Federal Register Volume 69, Number 24 (Thursday, February 5, 2004)]
[Notices]
[Pages 5667-5672]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 04-2405]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of amendment to system of records.

-----------------------------------------------------------------------

SUMMARY: The Privacy Act of 1974 (5 U.S.C. 552a(e) (4)) requires that 
all agencies publish in the Federal Register a notice of the existence 
and character of their systems of records. Notice is hereby given that 
VA is amending the system of records currently entitled ``Veterans 
Health Information Systems and Technology Architecture (VistA) Records-
-VA'' (79VA19) as set forth in the Federal Register 56 FR 6048 and last 
amended in the Federal Register 65 FR 70632-70636. VA is amending the 
routine uses of records maintained in the system, including categories 
of users and the purposes of such uses, the policies and practices for 
storing, retrieving, accessing, retaining and disposing of records in 
the system, and the system manager(s) and address. VA is republishing 
the system notice in its entirety.

DATES: Comments on the amendment of this system of records must be 
received no later than March 8, 2004. If no public comment is received 
during the period allowed for comment or unless otherwise published in 
the Federal Register by VA, the system will become effective March 8, 
2004.

ADDRESSES: Written comments concerning the proposed amended system of 
records may be submitted by: mail or hand-delivery to Director, 
Regulations Management (00REG1), Department of Veterans Affairs, 810 
Vermont Avenue, NW., Room 1068, Washington, DC 20420; fax to (202) 273-
9026; or e-mail to [email protected]. All comments received 
will be available for public inspection in the Office of Regulation 
Policy and Management, Room 1063B, between the hours of 8 a.m. and 4:30 
p.m., Monday through Friday (except holidays). Please call (202) 273-
9515 for an appointment.

FOR FURTHER INFORMATION CONTACT: Veterans Health Administration (VHA) 
Privacy Act Officer, Department of Veterans Affairs, 810 Vermont 
Avenue, NW., Washington, DC 20420, telephone (727) 320-1839.

SUPPLEMENTARY INFORMATION: 
    Background: In the 1980s, VHA developed an electronic health care 
architecture called the Decentralized Hospital Computer Program (DHCP) 
that was comprised of software applications that were integrated into a 
complete hospital information system primarily for hospital-based 
activities. DHCP was installed at VA medical facilities to provide 
comprehensive support for clinical and administrative needs and for VA-
wide management information. By 1990, VHA upgraded computer capacity at 
all medical facilities and implemented software on a national scale 
that supported integrated health care delivery. In 1996, VHA introduced 
the Veterans Health Information Systems and Technology Architecture 
(VistA), a client-server architecture that tied together workstations 
and personal computers and supported the day-to-day operations at all 
health care facilities.
    The purpose of the system of records is to provide a repository for 
the administrative information that is used to accomplish the purposes 
described. The records include information provided by applicants for 
employment, employees, volunteers, trainees, contractors and 
subcontractors, consultants, maintenance personnel, students, patients, 
and information obtained in the course of routine work done. Quality 
assurance information that is protected by 38 U.S.C. 7311 and 38 CFR 
17.500-17.511 is not within the scope of the Privacy Act and, 
therefore, is not included in this system of records or filed in a 
manner in which the information may be retrieved by reference to an 
individual identifier.
    Data stored in VistA is used to prepare various management, 
tracking, and follow-up reports that are used to assist in the 
management and operation of the health care facility, and the planning 
and delivery of patient medical care. Data may be used to track and 
evaluate patient care services; the distribution and utilization of 
resources; and the performance of vendors and employees. The data may 
also be used for such purposes as scheduling employees' tours of duty 
and for scheduling patient treatment services including nursing care, 
clinic appointments, surveys, diagnostic and therapeutic procedures. 
Data may also be used to track the ordering, delivery, maintenance and 
repair of equipment and for follow-up to determine if the actions were 
accomplished and to evaluate the results.
    The routine uses of records maintained in the system, including 
categories of users and the purposes of such uses are amended, as 
described below, to enable efficient administration and operation of 
health care facilities and to assist in the planning and delivery of 
patient medical care:
     Routine use number one (1) is amended in its 
entirety. VA must be able to comply with the requirements of agencies 
charged with enforcing the law and conducting investigations. VA must 
also be able to provide information to state or local agencies charged 
with protecting the public's health as set forth in state law. The 
routine use will be as follows:
    On its own initiative, VA may disclose information, except for the 
names and home addresses of veterans and their dependents, to a 
Federal, State, local, tribal or foreign agency charged with the 
responsibility of

[[Page 5668]]

investigating or prosecuting civil, criminal or regulatory violations 
of law, or charged with enforcing or implementing the statute, 
regulation, rule or order issued pursuant thereto. On its own 
initiative, VA may also disclose the names and addresses of veterans 
and their dependents to a Federal agency charged with the 
responsibility of investigating or prosecuting civil, criminal or 
regulatory violations of law, or charged with enforcing or implementing 
the statute, regulation, rule or order issued pursuant thereto.
     Former routine use two (2) is deleted as 
procedures have been defined in VHA Handbook 1605.1, Privacy and 
Release of Information, Paragraph 16, ROI Within VA for Purposes other 
than Treatment, Payment, and/or Health Care Operation Without 
Authorization.
     Former routine use three (3) is renumbered to 
routine use two (2) and amended to remove the phrase ``or at the 
initiation of the VA'' as, upon internal review, it was found not 
relevant to the routine use.
     Former routine use four (4) is renumbered as 
routine use three (3).
     Former routine use five (5) is renumbered to 
routine use four (4) and amended to remove specific references under 44 
U.S.C. The routine use will be as follows:
    Disclosure may be made to the National Archives and Records 
Administration (NARA) in records management inspections conducted under 
authority of 44 U.S.C.
     Former routine use six (6) is renumbered to 
routine use five (5) and amended to remove specific references under 28 
U.S.C. The routine use will be as follows:
     Disclosure may be made to the Department of 
Justice and United States attorneys in defense or prosecution of 
litigation involving the United States, and to Federal agencies upon 
their request in connection with review of administrative tort claims 
filed under the Federal Tort Claims Act, 28 U.S.C.
     Former routine use seven (7) is renumbered to 
routine use six (6).
     Former routine use eight (8) is renumbered to 
routine use seven (7) and amended by deleting the text ``disclosure may 
be made to a Federal, State or local government licensing board and/or 
to the Federation of State Medical Boards or a similar non-government 
entity which maintains records concerning individual employment 
histories or concerning the issuance, retention or revocation of 
licenses, certifications, or registration necessary to practice an 
occupation, profession or specialty; in order for the Department to 
obtain information relevant to a Department decision concerning the 
hiring, retention or termination of an employee;'' as private health 
information is not disclosed and the disclosure of information is not 
required.
     Former routine uses nine (9) and ten (10) are 
renumbered as routine uses eight (8) and nine (9).
     Former routine use eleven (11) is deleted as it 
duplicates routine use number one (1) and is no longer necessary.
     Former routine use twelve (12) is renumbered as 
routine use ten (10).
     Former routine use thirteen (13) is renumbered 
as routine use eleven (11) and amended to delete the phrase ``VA-
appointed'' as it is no longer applicable to the representation of an 
employee.
     Former routine use fourteen (14) is renumbered 
as routine use twelve (12) and amended to modify the phrase ``including 
the Office of the Special Counsel'' to ``and the Office of the Special 
Counsel'' in order to address organizational changes.
     Former routine uses fifteen (15) through 
nineteen (19) are renumbered as routine uses thirteen (13) through 
seventeen (17).
     Former routine use twenty (20) is renumbered as 
routine use number eighteen (18) and amended to further define 
disclosure of information to the National Practitioner Data Bank and/or 
State Licensing Board in the state(s) in which a practitioner is 
licensed, in which the VA facility is located, and/or in which an act 
or omission occurred upon which a medical malpractice claim was based 
when the VA reports information concerning: (1) Any payment for the 
benefit of a physician, dentist, or other licensed health care 
practitioner which was made as the result of a settlement or judgment 
of a claim of medical malpractice if an appropriate determination is 
made in accordance with agency policy that payment was related to 
substandard care, professional incompetence or professional misconduct 
on the part of the individual; (2) a final decision which relates to 
possible incompetence or improper professional conduct that adversely 
affects the clinical privileges of a physician or dentist for a period 
longer than 30 days; or, (3) the acceptance of the surrender of 
clinical privileges or any restriction of such privileges by a 
physician or dentist either while under investigation by the health 
care entity relating to possible incompetence or improper professional 
conduct, or in return for not conducting such an investigation or 
proceeding.
     Former routine uses twenty-one through twenty-
five (21-25) are renumbered as routine uses nineteen (19) through 
twenty-three (23).
    The Privacy Act permits VA to disclose information about 
individuals without their consent for a routine use when the 
information will be used for a purpose that is compatible with the 
purpose for which VA collected the information. In all of the routine 
use disclosures described above, the recipient of the information will 
use the information in connection with a matter relating to one of VA's 
programs, will use the information to provide a benefit to VA, or 
disclosure is required by law.
    Under section 264, subtitle F of Title II of the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA) Public Law 104-191, 
100 Stat. 1936, 2033-34 (1996), the United States Department of Health 
and Human Services (HHS) published a final rule, as amended, 
establishing Standards for Privacy of Individually-Identifiable Health 
Information, 45 CFR parts 160 and 164. VHA may not disclose 
individually-identifiable health information (as defined in HIPAA and 
the Privacy Rule, 42 U.S.C. 1320(d)(6) and 45 CFR 164.501) pursuant to 
a routine use unless either: (a) The disclosure is required by law, or 
(b) the disclosure is also permitted or required by the HHS Privacy 
Rule. The disclosures of individually-identifiable health information 
contemplated in the routine uses published in this amended system of 
records notice are permitted under the Privacy Rule or required by law. 
However, to also have authority to make such disclosures under the 
Privacy Act, VA must publish these routine uses. Consequently, VA is 
publishing these routine uses and is adding a preliminary paragraph to 
the routine uses portion of the system of records notice stating that 
any disclosure pursuant to the routine uses in this system of records 
notice must be either required by law or permitted by the Privacy Rule 
before VHA may disclose the covered information.
    The safeguards section of policies and practices for storing, 
retrieving, accessing, retaining and disposing of records in the system 
is amended to address access to file information and how the 
information is controlled, specifically to address access by remote 
data users such as Veteran Outreach Centers, Veteran Service Officers 
(VSO) with power of attorney to assist with claim processing, Veteran 
Benefits Administration (VBA) Regional Office staff for benefit 
determination and processing purposes, VA Office of Inspector General 
(OIG) staff conducting

[[Page 5669]]

official audits, investigations at the health care facility, or an OIG 
office location remote from the health care facility and other 
authorized individuals.
    The system manager(s) and address is amended to reflect 
organizational changes.
    The report of intent to publish an amended system of records and an 
advance copy of the system notice are being sent to the appropriate 
Congressional committees and to the Director of Office of Management 
and Budget (OMB), as required by 5 U.S.C. 552a(r) (Privacy Act) and 
guidelines issued by OMB (61 FR 6428), February 20, 1996.

    Approved: January 22, 2004.
Anthony J. Principi,
Secretary of Veterans Affairs.
79VA19

SYSTEM NAME:
    Veterans Health Information Systems and Technology Architecture 
(VistA) Records-VA.

SYSTEM LOCATION:
    Records are maintained at each VA health care facility (in most 
cases, back-up computer tape information is stored at off-site 
locations). Address locations for VA facilities are listed in VA 
Appendix 1. In addition, information from these records or copies of 
records may be maintained at the Department of Veterans Affairs, 810 
Vermont Avenue, NW., Washington, DC, VA Data Processing Centers, VA 
Chief Information Officer (CIO) Field Offices, Veterans Integrated 
Service Network (VISN) Offices, and Employee Education Systems.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The records include information concerning current and former 
employees, applicants for employment, trainees, contractors, sub-
contractors, contract personnel, students, providers and consultants, 
patients and members of their immediate family, volunteers, maintenance 
personnel, as well as individuals working collaboratively with the VA.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records may include information related to:
    1. Workload such as orders entered, verified, and edited (e.g., 
engineering work orders, doctors' orders for patient care including 
nursing care, the scheduling and delivery of medications, 
consultations, radiology, laboratory and other diagnostic and 
therapeutic examinations); results entered; items checked out and items 
in use (e.g., library books, keys, x-rays, patient medical records, 
equipment, supplies, reference materials); work plans entered and the 
subsequent tracking (e.g., construction projects, engineering work 
orders and equipment maintenance and repairs assigned to employees and 
status, duty schedules, work assignments, work requirements); reports 
of contact with individuals or groups; employees (including volunteers) 
work performance information (e.g., duties and responsibilities 
assigned and completed, amount of supplies used, time used, quantity 
and quality of output, productivity reports, schedules of patients 
assigned and treatment to be provided);
    2. Administrative procedures, duties, and assignments of certain 
personnel;
    3. Computer access authorizations, computer applications available 
and used, information access attempts, frequency and time of use; 
identification of the person responsible for, currently assigned, or 
otherwise engaged in various categories of patient care or support of 
health care delivery; vehicle registration (motor vehicles and 
bicycles) and parking space assignments; community and special project 
participants/attendees (e.g., sports events, concerts, National 
Wheelchair Games); employee work-related accidents. The record may 
include identifying information (e.g., name, date of birth, age, sex, 
social security number, taxpayer identification number); address 
information (e.g., home and/or mailing address, home telephone number, 
emergency contact information such as name, address, telephone number, 
and relationship); information related to training (e.g., security, 
safety, in-service), education and continuing education (e.g., name and 
address of schools and dates of attendance, courses attended and 
scheduled to attend, grades, type of degree, certificate, etc.); 
information related to military service and status; qualifications for 
employment (e.g., license, degree, registration or certification, 
experience); vehicle information (e.g., type make, model, license, and 
registration number); evaluation of clinical and/or technical skills; 
services or products purchased (e.g., vendor name and address, details 
about and/or evaluation of service or product, price, fee, cost, dates 
purchased and delivered, employee workload, and productivity data); 
employee work-related injuries (cause, severity, type of injury, body 
part affected);
    4. Financial information, such as service line and clinic budgets, 
projected and actual costs;
    5. Supply information, such as services, materials and equipment 
ordered;
    6. Abstract information (e.g., data warehouses, environmental and 
epidemiological registries, etc.) is maintained in auxiliary paper and 
automated records;
    7. Electronic messages; and
    8. The social security number and universal personal identification 
number of health care providers.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 38, United States Code, section 7301(a).

PURPOSE(S):
    The records and information may be used for statistical analysis to 
produce various management, workload tracking and follow-up reports; to 
track and evaluate the ordering and delivery of equipment, services and 
patient care; the planning, distribution and utilization of resources; 
the possession and/or use of equipment or supplies; the performance of 
vendors, equipment, and employees; and to provide clinical and 
administrative support to patient medical care. The data may be used 
for research purposes. The data may be used also for such purposes as 
assisting in the scheduling of tours of duties and job assignments of 
employees; the scheduling of patient treatment services, including 
nursing care, clinic appointments, surgery, diagnostic and therapeutic 
procedures; the repair and maintenance of equipment and for follow-up 
to determine that the actions were accomplished and to evaluate the 
results; the registration of vehicles and the assignment and 
utilization of parking spaces; to plan, schedule, and maintain rosters 
of patients, employees and others attending or participating in sports, 
recreational or other events (e.g., National Wheelchair Games, 
concerts, picnics); for audits, reviews, and investigations conducted 
by staff of the health care facility, the Network Directors Office, VA 
Central Office, and the VA Office of Inspector General (OIG); for 
quality assurance audits, reviews, investigations and inspections; for 
law enforcement investigations; and for personnel management, 
evaluation and employee ratings, and performance evaluations.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    To the extent that records contained in the system include 
information

[[Page 5670]]

protected by 45 CFR parts 160 and 164, i.e., individually-identifiable 
health information, and 38 U.S.C. 7332, i.e., medical treatment 
information related to drug abuse, alcoholism or alcohol abuse, sickle 
cell anemia or infection with the human immunodeficiency virus, that 
information cannot be disclosed under a routine use unless there is 
also specific statutory authority in 38 U.S.C. 7332 and regulatory 
authority in 45 CFR parts 160 and 164 permitting disclosure.
    1. VA may disclose on its own initiative any information in this 
system, except the names and home addresses of veterans and their 
dependents, which is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal or regulatory in nature and 
whether arising by general or program statute or by regulation, rule or 
order issued pursuant thereto, to a Federal, state, local, tribal, or 
foreign agency charged with the responsibility of investigating or 
prosecuting such violation, or charged with enforcing or implementing 
the statute, regulation, rule or order. On its own initiative, VA may 
also disclose the names and addresses of veterans and their dependents 
to a Federal agency charged with the responsibility of investigating or 
prosecuting civil, criminal or regulatory violations of law, or charged 
with enforcing or implementing the statute, regulation, rule or order 
issued pursuant thereto.
    2. Disclosure may be made to an agency in the executive, 
legislative, or judicial branch, or the District of Columbia government 
in response to its request, in connection with the hiring of an 
employee, the issuance of a security clearance, the conducting of a 
security or suitability investigation of an individual, the letting of 
a contract, the issuance of a license, grant, or other benefits by the 
requesting agency, or the lawful statutory, administrative, or 
investigative purpose of the agency to the extent that the information 
is relevant and necessary to the requesting agency's decision.
    3. Disclosure may be made to a Congressional office from the record 
of an individual in response to an inquiry from the Congressional 
office made at the request of that individual.
    4. Disclosure may be made to the National Archives and Records 
Administration (NARA) in records management inspections conducted under 
authority of 44 U.S.C.
    5. Disclosure may be made to the Department of Justice and United 
States attorneys in defense or prosecution of litigation involving the 
United States, and to Federal agencies upon their request in connection 
with review of administrative tort claims filed under the Federal Tort 
Claims Act, 28 U.S.C.
    6. Hiring, performance, or other personnel-related information may 
be disclosed to any facility with which there is or there is proposed 
to be an affiliation, sharing agreement, contract, or similar 
arrangement for purposes of establishing, maintaining, or expanding any 
such relationship.
    7. Disclosure may be made to inform a Federal agency, licensing 
boards or the appropriate non-government entities about the health care 
practices of a terminated, resigned or retired health care employee 
whose professional health care activity so significantly failed to 
conform to generally accepted standards of professional medical 
practice as to raise reasonable concern for the health and safety of 
patients receiving medical care in the private sector or from another 
Federal agency. These records may also be disclosed as part of an 
ongoing computer matching program to accomplish these purposes.
    8. For program review purposes, and the seeking of accreditation 
and/or certification, disclosure may be made to survey teams of the 
Joint Commission on Accreditation of Healthcare Organizations (JCAHO), 
College of American Pathologists, American Association of Blood Banks, 
and similar national accreditation agencies or boards with whom VA has 
a contract or agreement to conduct such reviews but only to the extent 
that the information is necessary and relevant to the review.
    9. Disclosure may be made to a state or local government entity or 
national certifying body which has the authority to make decisions 
concerning the issuance, retention or revocation of licenses, 
certifications or registrations required to practice a health care 
profession, when requested in writing by an investigator or supervisory 
official of the licensing entity or national certifying body for the 
purpose of making a decision concerning the issuance, retention or 
revocation of the license, certification or registration of a named 
health care professional.
    10. Disclosure may be made to officials of labor organizations 
recognized under 5 U.S.C. chapter 71 when relevant and necessary to 
their duties of exclusive representation concerning personnel policies, 
practices, and matters affecting working conditions.
    11. Disclosure may be made to the representative of an employee, 
including all notices, determinations, decisions, or other written 
communications issued to the employee in connection with an examination 
ordered by VA under medical evaluation (formerly fitness-for-duty) 
examination procedures or Department-filed disability retirement 
procedures.
    12. Disclosure may be made to officials of the Merit Systems 
Protection Board, and the Office of the Special Counsel, when requested 
in connection with appeals, special studies of the civil service and 
other merit systems, review of rules and regulations, investigation of 
alleged or possible prohibited personnel practices, and such other 
functions, promulgated in 5 U.S.C. 1205 and 1206, or as may be 
authorized by law.
    13. Disclosure may be made to the Equal Employment Opportunity 
Commission when requested in connection with investigations of alleged 
or possible discrimination practices, examination of Federal 
affirmative employment programs, compliance with the Uniform Guidelines 
of Employee Selection Procedures, or other functions vested in the 
Commission by the President's Reorganization Plan No. 1 of 1978.
    14. Disclosure may be made to the Federal Labor Relations 
Authority, including its General Counsel, when requested in connection 
with investigation and resolution of allegations of unfair labor 
practices, in connection with the resolution of exceptions to 
arbitrator awards when a question of material fact is raised and 
matters before the Federal Service Impasses Panel.
    15. Disclosure may be made in consideration and selection of 
employees for incentive awards and other honors and to publicize those 
granted. This may include disclosure to other public and private 
organizations, including news media, which grant or publicize employee 
awards or honors.
    16. Disclosure may be made to consider employees for recognition 
through administrative and quality step increases and to publicize 
those granted. This may include disclosure to other public and private 
organizations, including news media, which grant or publicize employee 
recognition.
    17. Identifying information such as name, address, social security 
number and other information as is reasonably necessary to identify 
such individual, may be disclosed to the National Practitioner Data 
Bank at the time of hiring and/or clinical privileging/re-privileging 
of health care practitioners and at other times as deemed necessary by 
VA in order for VA to obtain information relevant to a Department 
decision concerning the hiring, privileging/re-privileging, retention 
or termination of the applicant or employee.

[[Page 5671]]

    18. Relevant information may be disclosed to the National 
Practitioner Data Bank and/or State Licensing Board in the state(s) in 
which a practitioner is licensed, in which the VA facility is located, 
and/or in which an act or omission occurred upon which a medical 
malpractice claim was based when VA reports information concerning: (1) 
Any payment for the benefit of a physician, dentist, or other licensed 
health care practitioner which was made as the result of a settlement 
or judgment of a claim of medical malpractice if an appropriate 
determination is made in accordance with agency policy that payment was 
related to substandard care, professional incompetence or professional 
misconduct on the part of the individual; (2) a final decision which 
relates to possible incompetence or improper professional conduct that 
adversely affects the clinical privileges of a physician or dentist for 
a period longer than 30 days; or, (3) the acceptance of the surrender 
of clinical privileges or any restriction of such privileges by a 
physician or dentist either while under investigation by the health 
care entity relating to possible incompetence or improper professional 
conduct, or in return for not conducting such an investigation or 
proceeding. These records may also be disclosed as part of a computer 
matching program to accomplish these purposes.
    19. Disclosure of medical record data, excluding name and address, 
unless name and address is furnished by the requester, may be made to 
epidemiological and other research facilities for research purposes 
determined to be necessary and proper, and approved by the Under 
Secretary for Health.
    20. Disclosure of name(s) and address(es) of present or former 
personnel of the Armed Services, and/or their dependents, may be made 
to: (a) a Federal department or agency, at the written request of the 
head or designee of that agency; or (b) directly to a contractor or 
subcontractor of a Federal department or agency, for the purpose of 
conducting Federal research necessary to accomplish a statutory purpose 
of an agency. When disclosure of this information is made directly to a 
contractor, VA may impose applicable conditions on the department, 
agency, and/or contractor to ensure the appropriateness of the 
disclosure to the contractor.
    21. The social security number, universal personal identification 
number and other identifying information of a health care provider may 
be disclosed to a third party where the third party requires the agency 
to provide that information before it will pay for medical care 
provided by VA.
    22. Relevant information may be disclosed to individuals, 
organizations, private or public agencies, etc., with whom VA has a 
contract or agreement to perform such services as VA may deem practical 
for the purposes of laws administered by VA, in order for the 
contractor and/or subcontractor to perform the services of the contract 
or agreement.
    23. Disclosure of relevant health care information may be made to 
individuals or organizations (private or public) with whom VA has a 
contract or sharing agreement for the provision of health care, 
administrative or financial services.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Records are maintained on paper, microfilm, magnetic tape, disk, or 
laser optical media. In most cases, copies of back-up computer files 
are maintained at off-site locations.

RETRIEVABILITY:
    Records are retrieved by name, social security number or other 
assigned identifiers of the individuals on whom they are maintained.

SAFEGUARDS:
    1. Access to VA working and storage areas is restricted to VA 
employees on a ``need-to-know'' basis. Strict control measures are 
enforced to ensure that disclosure to these individuals is also based 
on this same principle. Generally, VA file areas are locked after 
normal duty hours and the facilities are protected from outside access 
by the Federal Protective Service or other security personnel.
    2. Access to computer rooms at health care facilities is generally 
limited by appropriate locking devices and restricted to authorized VA 
employees and vendor personnel. Automated Data Processing (ADP) 
peripheral devices are placed in secure areas (areas that are locked or 
have limited access) or are otherwise protected. Information in VistA 
may be accessed by authorized VA employees. Access to file information 
is controlled at two levels. The systems recognize authorized employees 
by series of individually unique passwords/codes as a part of each data 
message, and the employees are limited to only that information in the 
file which is needed in the performance of their official duties. 
Information that is downloaded from VistA and maintained on personal 
computers is afforded similar storage and access protections as the 
data that is maintained in the original files. Access to information 
stored on automated storage media at other VA locations is controlled 
by individually unique passwords/codes. Access by remote data users 
such as Veteran Outreach Centers, Veteran Service Officers (VSO) with 
power of attorney to assist with claim processing, Veteran Benefits 
Administration (VBA) Regional Office staff for benefit determination 
and processing purposes, OIG staff conducting official audits, 
investigations or inspections at the health care facility, or an OIG 
office location remote from the health care facility and other 
authorized individuals is controlled in the same manner.
    3. Information downloaded from VistA and maintained by the OIG 
headquarters and Field Offices on automated storage media is secured in 
storage areas for facilities to which only OIG staff have access. Paper 
documents are similarly secured. Access to paper documents and 
information on automated storage media is limited to OIG employees who 
have a need for the information in the performance of their official 
duties. Access to information stored on automated storage media is 
controlled by individually unique passwords/codes.

RETENTION AND DISPOSAL:
    Paper records and information stored on electronic storage media 
are maintained and disposed of in accordance with records disposition 
authority approved by the Archivist of the United States.

SYSTEM MANAGER(S) AND ADDRESS:
    The official responsible for policies and procedures is the 
Director, Health Systems Design and Development (192), Department of 
Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420. The 
local official responsible for maintaining the system is the Director 
of the facility where the individual is or was associated.

NOTIFICATION PROCEDURE:
    Individuals who wish to determine whether this system of records 
contains information about them should contact the VA facility location 
at which they are or were employed or made or have contact. Inquiries 
should include the person's full name, social security number, dates of 
employment, date(s) of contact, and return address.

RECORD ACCESS PROCEDURE:
    Individuals seeking information regarding access to and contesting 
of

[[Page 5672]]

records in this system may write, call or visit the VA facility 
location where they are or were employed or made contact.

CONTESTING RECORD PROCEDURES:
    (See Record Access Procedures, above.)

RECORD SOURCE CATEGORIES:
    Information in this system of records is provided by the 
individual, supervisors, other employees, personnel records, or 
obtained from their interaction with the system.

[FR Doc. 04-2405 Filed 2-4-04; 8:45 am]
BILLING CODE 8320-01-P