[Federal Register Volume 69, Number 67 (Wednesday, April 7, 2004)]
[Notices]
[Pages 18428-18436]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 04-7819]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of amendment to system of records.

-----------------------------------------------------------------------

SUMMARY: As required by the Privacy Act of 1974, 5 U.S.C. 552a(e), 
notice is hereby given that the Department of Veterans Affairs (VA) is 
amending the system of records currently entitled ``Patient Medical 
Records-VA'' (24VA136) as set forth in the Federal Register 56 FR 6048. 
VA is amending the system by revising the System Number, the System 
Location, Categories of Records in the System, Routine Uses of Records 
Maintained in the System, Including Categories of Users and the 
Purposes of Such Uses, Policies and Practices for Storing, Retrieving, 
Accessing, Retaining, and Disposing of Records in the System, and 
System Manager(s) and Address. VA is republishing the system notice in 
its entirety.

DATES: Comments on the amendment of this system of records must be 
received no later than May 7, 2004. If no public comment is received, 
the amended system will become effective May 7, 2004.

ADDRESSES: You may mail or hand-deliver written comments concerning the 
proposed amended system of records to the Director, Regulations 
Management (00REG1), Department of Veterans Affairs, 810 Vermont 
Avenue, NW., Washington, DC 20420; or fax comments to (202) 273-9026; 
or e-mail comments to ``[email protected]''. All relevant 
material received before May 7, 2004 will be considered. Comments will 
be available for public inspection at the above address in the Office 
of Regulations Management, Room 1063B, between the hours of 8 a.m. and 
4:30 p.m., Monday through Friday (except holidays).

FOR FURTHER INFORMATION CONTACT: Veterans Health Administration (VHA) 
Privacy Act Officer, Department of Veterans Affairs, 810 Vermont 
Avenue, NW., Washington, DC 20420; telephone (727) 320-1839.

SUPPLEMENTARY INFORMATION: The System number is changed from 24VA136 to 
24VA19 to reflect the current organizational alignment.
    The System Location is amended to reflect current organization 
structure with Veterans Integrated Service Network Offices having 
replaced Regional Director Offices. The System Location is also amended 
to reflect the transition from maintaining paper medical records to 
computerized medical records. This includes computerized medical record 
data stored in the VA Health Data Repository (HDR). The HDR is defined 
as a repository of clinical information normally residing on one or 
more independent platforms for use by clinicians and other personnel in 
support of longitudinal patient-centric care. Data will be organized in 
a format that supports the clinical decision-making process requisite 
to patient care, independent of the physical location of that patient 
information. The key objective of the HDR project is the ability to 
create a composite, portable, legal medical record that will enable 
providers to obtain integrated data views (computable views) and 
acquire the patient-specific clinical information needed to support 
treatment decisions. Initially, data from existing Veterans Health 
Information Systems and Technology Architecture (VistA) systems will be 
used to populate the HDR. Thus, current VistA files (and the service 
processes using the files) will continue to be used. As VistA files and 
processes are replaced by commercial off-the shelf (COTS) applications, 
data will be mapped from these new locations. The HDR functionality 
will include notifications, clinical reminders, decision support, and 
alerts. The HDR will be located at the VA National Data Centers. 
Addresses of VA facilities are removed from the System Location and can 
be found in Appendix 1 of the biennial publication of the VA Privacy 
Act Issuances.
    Categories of Records in the System are amended to remove specific 
titles of VA databases, as these are included in the VA National 
Database system of records. As of August 1992, paper perpetual medical 
records, which included the applications(s) for medical benefits, 
hospital summary(ies), operation report(s), and tissue examinations(s) 
for all episodes of care, and if applicable, autopsy reports and 
certain Freedom of Information and Privacy Acts related records, are no

[[Page 18429]]

longer created or maintained at VHA facilities. VHA facilities retire 
the complete paper medical record to a Federal Records Center after 
three years of inactivity in accordance with Records Control Schedule 
(RCS) 10-1.
    Authority for Maintenance of the System is amended to reflect 
current code section numbers after 38 U.S.C. was re-codified by 
Congress.
    Purpose(s) are amended to reflect how health information will be 
shared with government and private sector health care organizations.
    Generally, routine use disclosures are amended to reflect plain 
language. Further, routine uses are amended to provide consistency with 
the Department of Health and Human Services Health Insurance 
Portability and Accountability Act (HIPAA) standards for Privacy, 
including re-phrasing ``medical record data'' or ``medical care'' to 
individually-identifiable health care information.
    Routine uses with minor edits for plain language will not be 
further enumerated. Former Routine uses 9, 21, 22, 25, 29 and 30 
provided for disclosures relative to patient financial obligations, 
unpaid debts, and matching programs with other federal agencies to 
identify veterans who have indebtedness to the United States by virtue 
of participation in a VA benefits program are deleted. This information 
or routine disclosures from 24VA136 to discover indebtedness 
information are incorporated into the new VA System of Records, 
114VA16, ``The Revenue Program--Billing and Collections Records--VA'' 
which has been created to cover these disclosures.
    Routine use number 3 has been amended in its entirety. On its own 
initiative, VA may disclose information, except for the names and home 
addresses of veterans and their dependents, to a Federal, state, local, 
tribal or foreign agency charged with the responsibility of 
investigating or prosecuting civil, criminal or regulatory violations 
of law, or charged with enforcing or implementing the statute, 
regulation, rule or order issued pursuant thereto. On its own 
initiative, VA may also disclose the names and addresses of veterans 
and their dependents to a Federal agency charged with the 
responsibility of investigating or prosecuting civil, criminal or 
regulatory violations of law, or charged with enforcing or implementing 
the statute, regulation, rule or order issued pursuant thereto.
    VA must be able to comply with the requirements of agencies charged 
with enforcing the law and conducting investigations. VA must also be 
able to provide information to state or local agencies charged with 
protecting the public's health as set forth in state law.
    Routine use number 4 has been amended to delete the phrase ``the 
letting of a contract'' as it no longer applies to this routine use. 
Also, the phrase ``as required by law'' has been added to ``the hiring 
or retention of an employee and the issuance of a security clearance as 
required by law''
    Former routine use number 5 is deleted from this system of records. 
Upon review, it has been determined that this routine use is no longer 
applicable to this system and, as such, is no longer required.
    Former routine uses 23 and 24 are deleted as they were invalidated 
by two court cases, Doe v. DiGenova, Sec.  779 F. 2d 74(D.C. Cir. 1985) 
and Doe v. Stephens, Sec.  854 F.2d. 14517(D.C. Cir. 1988).
    The remaining routine uses are re-numbered due to above deletions.
    Routine use 13, formerly 15, is amended to reflect VA's cabinet 
status by substituting the current title, Under Secretary for Health 
for Chief Medical Director.
    Routine use 19, formerly 26, is amended to delete the phrase ``in 
order for the agency to obtain information relevant to an agency 
decision concerning the hiring, retention or termination of an 
employee'' as it no longer pertains to the routine use.
    Routine use 25, formerly 34, was not amended, however, 
clarification on the intent of the term ``refers'' is being provided. 
It was always the intent of VA for the term ``refers'' to mean when VA 
health care facilities send a patient to a Federal agency or non-VA 
health care provider for treatment regardless of whether or not VA is 
paying for the care.
    Routine use disclosures are added, as described below, to enable 
efficient administration of health care operations and to assist in the 
planning and delivery of patient medical care.
     Routine use thirty-five (35) states that 
disclosure by a physician or professional counselor that a patient is 
infected with Hepatitis C may be made to the spouse, the person or 
subject with whom the patient has a meaningful relationship with, or to 
an individual whom the patient or subject has identified as being a 
sexual partner of the patient or subject.
     Routine use thirty-six (36) states that 
information may be disclosed to the Federal Labor Relations Authority 
(FLRA) (including its General Counsel) when requested in connection 
with the investigation and resolution of allegations of unfair labor 
practices, in connection with the resolution of exceptions to 
arbitrator awards when a question of material fact is raised, in 
connection with matters before the Federal Service Impasses Panel, and 
to investigate representation petitions and conduct or supervise 
representation elections. The release of information to FLRA from this 
Privacy Act system of records is necessary to comply with the statutory 
mandate under which FLRA operates.
     Routine use thirty-seven (37) states information 
may be disclosed to officials of labor organizations recognized under 5 
U.S.C. chapter 71 when relevant and necessary to their duties of 
exclusive representation concerning personnel policies, practices, and 
matters affecting working conditions.
     Routine use thirty-eight (38) states that 
information may be disclosed to officials of the Merit Systems 
Protection Board, including the Office of the Special Counsel, when 
requested in connection with appeals, special studies of the civil 
service and other merit systems, review of rules and regulations, 
investigation of alleged or possible prohibited personnel practices, 
and such other functions, promulgated in 5 U.S.C. 1205 and 1206, or
as may be authorized by law.
     Routine use thirty-nine (39) states that 
information may be disclosed to the Equal Employment Opportunity 
Commission when requested in connection with investigations of alleged 
or possible discrimination practices, examination of Federal 
affirmative employment programs, compliance with the Uniform Guidelines 
of Employee Selection Procedures, or other functions vested in the 
Commission by the President's Reorganization Plan No. 1 of 1978.
     Routine use forty (40) states that health care 
information may be disclosed to health and welfare agencies, housing 
resources or utility companies, possibly to be combined with 
disclosures to other agencies, in situations where VA needs to act 
quickly in order to provide basic and/or emergency needs on behalf of 
veterans and veterans' families where the family resides with the 
veteran or serves as a caregiver.
    There are times when these referrals must be made quickly to obtain 
the resources necessary to maintain safe community living situations 
and obtain priority service for high-risk veterans. Health can be 
compromised when heat is turned off, telephone access denied, and food 
and clothing is not available. Flexibility is needed to contact a 
variety of agencies promptly to meet multiple

[[Page 18430]]

needs in a timely manner. Numerous calls are often necessary to find 
the mix of resources needed. VA must be prepared to disclose relevant 
health care information to shelters, not-for-profit or profit assisted 
living homes, sheltered or group homes, public housing or to residence 
management that may be ready to evict veterans, where VA needs to use 
some medical and identifying information in negotiations.
     Routine use forty-one (41) states that health 
care information may be disclosed to funeral directors or 
representatives of funeral homes in order to allow them to make 
necessary arrangements prior to and in anticipation of a veteran's 
impending death.
     Routine use forty-two (42) states that health 
care information may be disclosed to the Food and Drug Administration 
(FDA), or a person subject to the jurisdiction of the FDA with respect 
to an FDA-regulated products, for purposes of reporting adverse events, 
product defects or problems, or biological product deviations; tracking 
products; enabling product recalls, repairs, or replacement; and/or 
conducting post marketing surveillance.
     Routine use forty-three (43) states that 
disclosure of individually-identifiable health care information may be 
made to a non-VA health care provider, such as DoD and IHS, for the 
purpose of treating a veteran. To better facilitate medical care and 
treatment for veterans, VA must be prepared to share health information 
between VHA, the Department of Defense (DoD), Indian Health Services 
(IHS), and other government health care organizations.
     Routine use forty-four (44) states that 
disclosure of information may be made to telephone company operators 
acting in a capacity to facilitate phone calls to/for hearing impaired 
individuals, such as veterans, veteran's family members, non-VA 
providers, etc., using Telephone Devices for the Hearing Impaired 
including Telecommunications Device for the Deaf (TDD) or Text 
Telephones (TTY).
    This service may be required in order for VA to provide veteran 
and/or veteran's family with disabilities basic and/or emergency health 
care services.
     Routine use forty-five (45) states that in 
compliance with 38 U.S.C. 5313B(d), VA may disclose information to any 
Federal, state, local, tribal or foreign law enforcement agency in 
order to report a known fugitive felon.
    VA must also be able to provide information to Federal, state or 
local agencies charged with protecting the public.
     Routine use forty-six (46) states that relevant 
health care information, excluding medical treatment information 
related to drug or alcohol abuse, infection with the human 
immunodeficiency virus or sickle cell anemia, and the names and home 
addresses of veterans and their dependents, may be disclosed by VA 
employees who are designated requesters (individuals who have completed 
a course offered or approved by an Organ Procurement Organization), or 
their designee for the purpose of determining suitability of a 
patient's organs or tissues for organ donation to an Organ Procurement 
Organization, a designated requester that is a non-VA employee, or 
their designees acting on behalf of local Organ Procurement 
Organizations. This will permit representatives from the Organ 
Procurement Organizations to perform the medical record reviews 
required in making these determinations.
     Routine use forty-six (46) states relevant heath 
care information may be disclosed to DoD, or its components, for 
individuals treated under 38 U.S.C. 8111A for the purposes deemed 
necessary by appropriate military command authorities to assure proper 
execution of the military mission.
    VA is adding this routine use to provide disclosure authority in 
the course of treating individuals under 38 U.S.C. 8111A for the 
purposes discussed under 45 CFR 164.512(k)(1)(i).
    The Privacy Act permits VA to disclose information about 
individuals without their consent for a routine use when the 
information will be used for a purpose that is compatible with the 
purpose for which we collected the information. In all of the routine 
use disclosures described above, the recipient of the information will 
use the information in connection with a matter relating to one of VA's 
programs, will use the information to provide a benefit to VA, or 
disclosure is required by law.
    Under section 264, Subtitle F of Title II of the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 
100 Stat. 1936, 2033-34 (1996), the United States Department of Health 
and Human Services (HHS) published a final rule, as amended, 
establishing Standards for Privacy of Individually-Identifiable Health 
Information, 45 CFR Parts 160 and 164. VHA may not disclose 
individually-identifiable health information (as defined in HIPAA and 
the Privacy Rule, 42 U.S.C. 1320(d)(6) and 45 CFR 164.501) pursuant to 
a routine use unless either: (a) The disclosure is required by law, or 
(b) the disclosure is also permitted or required by the HHS Privacy 
Rule. The disclosures of individually-identifiable health information 
contemplated in the routine uses published in this amended system of 
records notice are permitted under the Privacy Rule or required by law. 
However, to also have authority to make such disclosures under the 
Privacy Act, VA must publish these routine uses. Consequently, VA is 
publishing these routine uses and is adding a preliminary paragraph to 
the routine uses portion of the system of records notice stating that 
any disclosure pursuant to the routine uses in this system of records 
notice must be either required by law or permitted by the Privacy Rule 
before VHA may disclose the covered information.
    Policies and practices for storing, retrieving, accessing, 
retaining and disposing of records in the system are amended to include 
provisions for computerized patient health information storage, 
including the Health Data Repository.
    The safeguards are amended to delete specific references to the 
names of information systems, databases and files within the 
information system, as these have been incorporated into the VA 
National Database system of records. The section addressing access to 
file information and how the information is controlled has been updated 
to include access by remote data users such as Veteran Outreach 
Centers, Veteran Service Officers (VSO) with power of attorney to 
assist with claim processing, Veterans Benefits Administration (VBA) 
Regional Office staff for benefit determination and processing 
purposes, Office of Inspector General (OIG) staff conducting official 
audits or investigations and other authorized individuals. A section on 
Health Data Repository safeguards has also been added.
    The System Manager is amended to reflect the current organizational 
structure and includes the System Manager for the Health Data 
Repository.
    The Report of Intent to Amend a System on Records Notice and an 
advance copy of the system notice have been sent to the appropriate 
Congressional committees and to the Director of the Office of 
Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy 
Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.


[[Page 18431]]


    Approved: March 12, 2004.
Anthony J. Principi,
Secretary of Veterans Affairs.
24VA19

SYSTEM NAME:
    Patient Medical Records-VA.

SYSTEM LOCATION:
    Records are maintained at each VA health care facility (in most 
cases, back-up information is stored at off-site locations). Subsidiary 
record information is maintained at the various respective services 
within the health care facility (e.g., Pharmacy, Fiscal, Dietetic, 
Clinical Laboratory, Radiology, Social Work, Psychology, etc.) and by 
individuals, organizations, and/or agencies with whom VA has a contract 
or agreement to perform such services, as VA may deem practicable.
    Address locations for VA facilities are listed in Appendix 1 of the 
biennial publication of the VA Privacy Act Issuances. In addition, 
information from these records or copies of these records may be 
maintained at the Department of Veteran Affairs Central Office, 810 
Vermont, NW., Washington, DC 20420, VA National Data Centers, in the VA 
Health Data Repository (HDR) [located at the VA National Data Centers], 
VA Chief Information Office (CIO) Field Offices, Veterans Integrated 
Service Networks, Regional and General Counsel Offices.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    1.Veterans who have applied for health care services under Title 
38, United States Code, Chapter 17, and members of their immediate 
families.
    2. Spouse, surviving spouse, and children of veterans who have 
applied for health care services under Title 38, United States Code, 
Chapter 17.
    3. Beneficiaries of other Federal agencies.
    4. Individuals examined or treated under contract or resource 
sharing agreements.
    5. Individuals examined or treated for research or donor purposes.
    6. Individuals who have applied for Title 38 benefits but who do 
not meet the requirements under Title 38 to receive such benefits.
    7. Individuals who were provided medical care under emergency 
conditions for humanitarian reasons.
    8. Pensioned members of allied forces provided health care services 
under Title 38, United States Code, Chapter I.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The patient medical record is a consolidated health record (CHR) 
which may include:
    (i) An administrative (non-clinical information) record (e.g., 
medical benefit application and eligibility information) including 
information obtained from Veterans Benefits Administration automated 
records such as the Veterans and Beneficiaries Identification and 
Records Locator Subsystem-VA (38VA23) and the Compensation, Pension, 
Education and Rehabilitation Records-VA (58VA21/22/28), and 
correspondence about the individual;
    (ii) A medical record (a cumulative account of sociological, 
diagnostic, counseling, rehabilitation, drug and alcohol, dietetic, 
medical, surgical, dental, psychological, and/or psychiatric 
information compiled by VA professional staff and non-VA health care 
providers), and
    (iii) Subsidiary record information (e.g., tumor registry, dental, 
pharmacy, nuclear medicine, clinical laboratory, radiology, and patient 
scheduling information). The consolidated health record may include 
identifying information (e.g., name, address, date of birth, VA claim 
number, social security number), military service information (e.g., 
dates, branch and character of service, service number, medical 
information), family information (e.g., next of kin and person to 
notify in an emergency; address information, name, social security 
number and date of birth for veteran's spouse and dependents; family 
medical history information), employment information (e.g., occupation, 
employer name and address), financial information (e.g., family income; 
assets; expenses; debts; amount and source of income for veteran, 
spouse and dependents), third-party health plan contract information 
(e.g., health insurance carrier name and address, policy number, 
amounts billed and paid), and information pertaining to the 
individual's medical, surgical, psychiatric, dental, and/or 
psychological examination, evaluation, and/or treatment (e.g., 
information related to the chief complaint and history of present 
illness; information related to physical, diagnostic, therapeutic, 
special examinations, clinical laboratory, pathology and x-ray 
findings, operations, medical history, medications prescribed and 
dispensed, treatment plan and progress, consultations; photographs 
taken for identification and medical treatment; education and research 
purposes; facility locations where treatment is provided; observations 
and clinical impressions of health care providers to include identity 
of providers and to include, as appropriate, the present state of the 
patient's health, an assessment of the patient's emotional, behavioral, 
and social status, as well as an assessment of the patient's 
rehabilitation potential and nursing care needs). Abstract information 
(e.g., environmental, epidemiological and treatment regimen registries, 
etc.) is maintained in auxiliary paper and automated records.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 38, United States Code, Section 501(b) and Section 304.

PURPOSE(S):
    The paper and automated records may be used for such purposes as: 
Ongoing treatment of the patient; documentation of treatment provided; 
payment; health care operations such as producing various management 
and patient follow-up reports; responding to patient and other 
inquiries; for epidemiological research and other health care related 
studies; statistical analysis, resource allocation and planning; 
providing clinical and administrative support to patient medical care; 
determining entitlement and eligibility for VA benefits; processing and 
adjudicating benefit claims by Veterans Benefits Administration 
Regional Office (VARO) staff; for audits, reviews and investigations 
conducted by staff of the health care facility, the networks, VA 
Central Office, and the VA Office of Inspector General (OIG); sharing 
of health information between and among Veterans Health Administration 
(VHA), Department of Defense (DoD), Indian Health Services (IHS), and 
other government and private industry health care organizations; law 
enforcement investigations; quality assurance audits, reviews and 
investigations; personnel management and evaluation; employee ratings 
and performance evaluations, and employee disciplinary or other adverse 
action, including discharge; advising health care professional 
licensing or monitoring bodies or similar entities of activities of VA 
and former VA health care personnel; accreditation of a facility by an 
entity such as the Joint Commission on Accreditation of Healthcare 
Organizations (JCAHO); and, notifying medical schools of medical 
students' performance and billing.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    To the extent that records contained in the system include 
information protected by 45 CFR Parts 160 and 164, i.e., individually 
identifiable health information, and 38 U.S.C. 7332, i.e., medical 
treatment information related to drug abuse, alcoholism or alcohol 
abuse,

[[Page 18432]]

sickle cell anemia or infection with the human immunodeficiency virus, 
that information cannot be disclosed under a routine use unless there 
is also specific statutory authority in 38 U.S.C. 7332 and regulatory 
authority in 45 CFR Parts 160 and 164 permitting disclosure.
    1. Disclosure of health care information as deemed necessary and 
proper to Federal, state and local government agencies and national 
health organizations in order to assist in the development of programs 
that will be beneficial to claimants, to protect their rights under 
law, and assure that they are receiving all benefits to which they are 
entitled.
    2. Disclosure of health care information furnished and the period 
of care, as deemed necessary and proper, to accredited service 
organization representatives and other approved agents, attorneys, and 
insurance companies to aid claimants whom they represent in the 
preparation, presentation and prosecution of claims under laws 
administered by VA, state or local agencies.
    3. VA may disclose on its own initiative any information in this 
system, except the names and home addresses of veterans and their 
dependents, which is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal or regulatory in nature, and 
whether arising by general or program statute or by regulation, rule or 
order issued pursuant thereto, to a Federal, state, local, tribal, or 
foreign agency charged with the responsibility of investigating or 
prosecuting such violation, or charged with enforcing or implementing 
the statute, regulation, rule or order. On its own initiative, VA may 
also disclose the names and addresses of veterans and their dependents 
to a Federal agency charged with the responsibility of investigating or 
prosecuting civil, criminal or regulatory violations of law, or charged 
with enforcing or implementing the statute, regulation, rule or order 
issued pursuant thereto.
    4. A record from this system of records may be disclosed to a 
Federal agency or the District of Columbia government, in response to 
its request, in connection with the hiring or retention of an employee 
and the issuance of a security clearance as required by law, the 
reporting of an investigation of an employee, or the issuance of a 
license, grant, or other benefit by the requesting agency, to the 
extent that the information is relevant and necessary to the requesting 
agency's decision.
    5. Disclosure of individually-identifiable health care information 
may be made by appropriate VA personnel to the extent necessary and on 
a need-to-know basis, consistent with good medical-ethical practices, 
to family members and/or the person(s) with whom the patient has a 
meaningful relationship.
    6. In response to an inquiry about a named individual from a member 
of the general public, disclosure may be made to establish the 
patient's presence (and location when needed for visitation purposes) 
in a medical facility or to report the patient's general condition 
while hospitalized (e.g., satisfactory, seriously ill).
    7. Relevant information may be disclosed in the course of 
presenting evidence to a court, magistrate or administrative tribunal, 
in matters of guardianship, inquests and commitments; to private 
attorneys representing veterans rated incompetent in conjunction with 
issuance of Certificates of Incompetency; and to probation and parole 
officers in connection with Court required duties.
    8. Relevant information may be disclosed to a guardian ad litem in 
relation to his or her representation of a claimant in any legal 
proceeding.
    9. Disclosure may be made to a Congressional office from the record 
of an individual in response to an inquiry from the Congressional 
office made at the request of that individual.
    10. The name(s) and address(es) of present or former members of the 
armed services and/or their dependents may be disclosed under certain 
circumstances: (a) To any nonprofit organization if the release is 
directly connected with the conduct of programs and the utilization of 
benefits under Title 38, and (b) to any criminal or civil law 
enforcement governmental agency or instrumentality charged under 
applicable law with the protection of the public health or safety, if a 
qualified representative of such organization, agency or 
instrumentality has made a written request that such name(s) or 
address(es) be provided for a purpose authorized by law; provided, 
further, that the record(s) will not be used for any purpose other than 
that stated in the request and that organization, agency or 
instrumentality is aware of the penalty provision of 38 U.S.C. 5701 
(f).
    11. The nature of the patient's illness, probable prognosis, 
estimated life expectancy and need for the presence of the related 
service member may be disclosed to the American Red Cross for the 
purpose of justifying emergency leave.
    12. Any relevant information may be disclosed to attorneys, 
insurance companies, employers, third parties liable or potentially 
liable under health plan contracts, and to courts, boards, or 
commissions, only to the extent necessary to aid VA in preparation, 
presentation, and prosecution of claims authorized under Federal, 
state, or local laws, and regulations promulgated thereunder.
    13. Disclosure of health information, excluding name and home 
address, (unless name and address is furnished by the requester) for 
research purposes determined to be necessary and proper, to 
epidemiological and other research entities approved by the Under 
Secretary for Health.
    14. In order to conduct Federal research necessary to accomplish a 
statutory purpose of an agency, at the written request of the head of 
the agency, or designee of the head of that agency, the name(s) and 
address(es) of present or former personnel of the Armed Services and/or 
their dependents may be disclosed (a) to a Federal department or agency 
or (b) directly to a contractor of a Federal department or agency. When 
a disclosure of this information is to be made directly to the 
contractor, VA may impose applicable conditions on the department, 
agency and/or contractor to insure the appropriateness of the 
disclosure to the contractor.
    15. Relevant information may be disclosed to the Department of 
Justice and United States Attorneys in defense or prosecution of 
litigation involving the United States, and to Federal agencies upon 
their request in connection with review of administrative tort claims 
filed under the Federal Tort Claims Act, 28 U.S.C. 2672.
    16. Health care information may be disclosed by the examining VA 
physician to a non-VA physician when that non-VA physician has referred 
the individual to the VA for medical care.
    17. Patient medical records may be disclosed to the National 
Archives and Records Administration (NARA) and the General Services 
Administration (GSA) in records management inspections conducted under 
authority of 44 U.S.C.
    18. Health care information concerning a non-judicially declared 
incompetent patient may be disclosed to a third party upon the written 
authorization of the patient's next of kin in order for the patient or, 
consistent with the best interest of the patient, a member of the 
patient's family, to receive a benefit to which the patient or family 
member is entitled or, to arrange for the patient's discharge from a VA 
medical facility. Sufficient information to make an informed 
determination will be made available to such next of kin. If the 
patient's next of kin are not

[[Page 18433]]

reasonably accessible, the Chief of Staff, Director, or designee of the 
custodial VA medical facility may make disclosure of health care 
information for these purposes.
    19. Disclosure may be made to a Federal agency or to a state or 
local government licensing board and/or to the Federation of State 
Medical Boards, or a similar non-government entity, which maintains 
records concerning individuals' employment histories or concerning the 
issuance, retention or revocation of licenses, certifications, or 
registration necessary to practice an occupation, profession or 
specialty, to inform a Federal agency or licensing boards or the 
appropriate non-government entities about the health care practices of 
a terminated, resigned or retired health care employee whose 
professional health care activity so significantly failed to conform to 
generally accepted standards of professional medical practice as to 
raise reasonable concern for the health and safety of patients in the 
private sector or from another Federal agency. These records may also 
be disclosed as part of an ongoing computer matching program to 
accomplish these purposes.
    20. In the case of any record which is maintained in connection 
with the performance of any program or activity relating to infection 
with the Human Immunodeficiency Virus (HIV), information may be 
disclosed to a Federal, state, or local public health authority that is 
charged under Federal or state law with the protection of the public 
health, and to which Federal or state law requires disclosure of such 
record, if a qualified representative of such authority has made a 
written request that such record be provided as required pursuant to 
such law for a purpose authorized by such law. The person to whom 
information is disclosed should be advised that they shall not re-
disclose or use such information for a purpose other than that for 
which the disclosure was made [(38 U.S.C. 7332 (b)(2)(C)]. The 
disclosure of patient name and address under this routine use must 
comply with the provisions of 38 U.S.C. 5701 (f)(2).
    21. Information indicating that a patient or subject is infected 
with the Human Immunodeficiency Virus (HIV) may be disclosed by a 
physician or professional counselor to the spouse of the patient or 
subject, or to an individual whom the patient or subject has a 
meaningful relationship, during the process of professional counseling 
or of testing, to determine whether the patient or subject is infected 
with the virus, identified as being a sexual partner of the patient or 
subject. Disclosures may be made only if the physician or counselor, 
after making reasonable efforts to counsel and encourage the patient or 
subject to provide the information to the spouse or sexual partner, and 
if the disclosure is necessary to protect the health of the spouse or 
sexual partner. Such disclosures should, to the extent feasible, be 
made by the patient's or subject's treating physician or professional 
counselor. Before any patient or subject gives consent to being tested 
for the HIV, as part of pre-testing counseling, the patient or subject 
must be informed fully about these notification procedures.
    22. Identifying information, including name, address, social 
security number, and other information as is reasonably necessary to 
identify such individual, may be disclosed to the National Practitioner 
Data Bank at the time of hiring and/or clinical privileging/re-
privileging of health care practitioners, and other times as deemed 
necessary by VA, in order for VA to obtain information relevant to a 
Department decision concerning the hiring, privileging/re-privileging, 
retention or termination of the applicant or employee.
    23. Relevant information may be disclosed to the National 
Practitioner Data Bank and/or State Licensing Board in the state(s) in 
which a practitioner is licensed, in which the VA facility is located, 
and/or in which an act or omission occurred upon which a medical 
malpractice claim was based when VA reports information concerning: (a) 
Any payment for the benefit of a physician, dentist, or other licensed 
health care practitioner which was made as the result of a settlement 
or judgment of a claim of medical malpractice, if an appropriate 
determination is made in accordance with Department policy that payment 
was related to substandard care, professional incompetence or 
professional misconduct on the part of the individual; (b) a final 
decision which relates to possible incompetence or improper 
professional conduct that adversely affects the clinical privileges of 
a physician or dentist for a period longer than 30 days; or, (c) the 
acceptance of the surrender of clinical privileges, or any restriction 
of such privileges by a physician or dentist, either while under 
investigation by the health care entity relating to possible 
incompetence or improper professional conduct, or in return for not 
conducting such an investigation or proceeding. These records may also 
be disclosed as part of a computer matching program to accomplish these 
purposes.
    24. Relevant health care information may be disclosed to a state 
veterans home for the purpose of medical treatment and/or follow-up at 
the state home when VA makes payment of a per diem rate to the state 
home for the patient receiving care at such home, and the patient 
receives VA medical care.
    25. Relevant health care information may be disclosed to (a) a 
Federal agency or non-VA health care provider or institution when VA 
refers a patient for hospital or nursing home care or medical services, 
or authorizes a patient to obtain non-VA medical services and the 
information is needed by the Federal agency or non-VA institution or 
provider to perform the services; or (b) a Federal agency or a non-VA 
hospital (Federal, state and local, public or private) or other medical 
installation having hospital facilities, blood banks, or similar 
institutions, medical schools or clinics, or other groups or 
individuals that have contracted or agreed to provide medical services, 
or share the use of medical resources under the provisions of 38 U.S.C 
513, 7409, 8111, or 8153, when treatment is rendered by VA under the 
terms of such contract or agreement or the issuance of an 
authorization, and the information is needed for purposes of medical 
treatment and/or follow-up, determining entitlement to a benefit or, 
for VA to effect recovery of the costs of the medical care.
    26. For program review purposes and the seeking of accreditation 
and/or certification, health care information may be disclosed to 
survey teams of the Joint Commission on Accreditation of Healthcare 
Organizations (JCAHO), College of American Pathologists, American 
Association of Blood Banks, and similar national accrediting agencies 
or boards with whom VA has a contract or agreement to conduct such 
reviews, but only to the extent that the information is necessary and 
relevant to the review.
    27. Relevant health care information may be disclosed to a non-VA 
nursing home facility that is considering the patient for admission, 
when information concerning the individual's medical care is needed for 
the purpose of preadmission screening under 42 CFR 483.20(f), for the 
purpose of identifying patients who are mentally ill or mentally 
retarded, so they can be evaluated for appropriate placement.
    28. Information from a named patient's VA medical record which 
relates to the performance of a health care student or provider may be 
disclosed to a medical or nursing

[[Page 18434]]

school, or other health care related training institution, or other 
facility with which there is an affiliation, sharing agreement, 
contract, or similar arrangement when the student or provider is 
enrolled at or employed by the school or training institution, or other 
facility, and the information is needed for personnel management, 
rating and/or evaluation purposes.
    29. Relevant health care information may be disclosed to 
individuals, organizations, private or public agencies, etc., with whom 
VA has a contract or sharing agreement for the provision of health care 
or administrative services.
    30. Identifying information, including social security number, of 
veterans, spouse(s) of veterans, and dependents of veterans, may be 
disclosed to other Federal agencies for purposes of conducting computer 
matches, to obtain information to determine or verify eligibility of 
veterans who are receiving VA medical care under Title 38, U.S.C.
    31. The name and social security number of a veteran, spouse and 
dependent, and other identifying information as is reasonably necessary 
may be disclosed to the Social Security Administration, Department of 
Health and Human Services (HHS), for the purpose of conducting a 
computer match to obtain information to validate the social security 
numbers maintained in VA records.
    32. The patient name and relevant health care information 
concerning an adverse drug reaction of a patient may be disclosed to 
the Food and Drug Administration (FDA), HHS, for purposes of quality of 
care management, including detection, treatment, monitoring, reporting, 
analysis and follow-up actions relating to adverse drug reactions.
    33. Patient identifying information may be disclosed to Federal 
agencies and VA and government-wide third-party insurers responsible 
for payment of the cost of medical care for the identified patients, in 
order for VA to seek recovery of the medical care costs. These records 
may also be disclosed as part of a computer matching program to 
accomplish these purposes.
    34. Pursuant to 38 U.S.C. 7464, and notwithstanding sections 5701 
and 7332, when requested by a VA employee or former VA employee (or a 
representative of the employee) whose case is under consideration by 
the VA Disciplinary Appeals Board, in connection with the 
considerations of the Board, records or information may be reviewed by 
or disclosed to the employee or former employee (or representative) to 
the extent the Board considers appropriate for purposes of the 
proceedings of the Board in that case, when authorized by the 
chairperson of the Board.
    35. Disclosure by a physician or professional counselor that a 
patient is infected with Hepatitis C may be made to the spouse, the 
person or subject with whom the patient has a meaningful relationship 
with, or to an individual whom the patient or subject has identified as 
being a sexual partner of the patient or subject.
    36. Disclosure may be made to the Federal Labor Relations 
Authority, including its General Counsel, when requested in connection 
with investigation and resolution of allegations of unfair labor 
practices, in connection with the resolution of exceptions to 
arbitrator awards when a question of material fact is raised and 
matters before the Federal Service Impasses Panel.
    37. Disclosure may be made to officials of labor organizations 
recognized under 5 U.S.C. chapter 71 when relevant and necessary to 
their duties of exclusive representation concerning personnel policies, 
practices, and matters affecting working conditions.
    38. Disclosure may be made to officials of the Merit Systems 
Protection Board, including the Office of the Special Counsel, when 
requested in connection with appeals, special studies of the civil 
service and other merit systems, review of rules and regulations, 
investigation of alleged or possible prohibited personnel practices, 
and such other functions promulgated in 5 U.S.C. 1205 and 1206, or as 
may be authorized by law.
    39. Disclosure may be made to the Equal Employment Opportunity 
Commission when requested in connection with investigations of alleged 
or possible discrimination practices, examination of Federal 
affirmative employment programs, compliance with the Uniform Guidelines 
of Employee Selection Procedures, or other functions vested in the 
Commission by the President's Reorganization Plan No. 1 of 1978.
    40. Relevant health care information may be disclosed to health and 
welfare agencies, housing resources and utility companies, possibly to 
be combined with disclosures to other agencies, in situations where VA 
needs to act quickly in order to provide basic and/or emergency needs 
for the veteran and veteran's family where the family resides with the 
veteran or serves as a caregiver.
    41. Disclosure of health care information may be made to funeral 
directors or representatives of funeral homes in order to allow them to 
make necessary arrangements prior to and in anticipation of a veteran's 
impending death.
    42. Disclosure of health care information may be made to the FDA, 
or a person subject to the jurisdiction of the FDA, with respect to 
FDA-regulated products for purposes of reporting adverse events, 
product defects or problems, or biological product deviations; tracking 
products; enabling product recalls, repairs, or replacement; and/or 
conducting post marketing surveillance.
    43. Disclosure of individually-identifiable health care information 
may be made to a non-VA health care provider, such as DoD or IHS, for 
the purpose of treating any VA patient, including veterans.
    44. Disclosure of information may be made to telephone company 
operators acting in a capacity to facilitate phone calls to/for hearing 
impaired individuals, such as veterans, veteran's family members, non-
VA providers, etc., using Telephone Devices for the Hearing Impaired 
including Telecommunications Device for the Deaf (TDD) or Text 
Telephones (TTY).
    45. In compliance with 38 U.S.C. 5313B(d), VA may disclose 
information to any Federal, state, local, tribal or foreign law 
enforcement agency in order to report a known fugitive felon.
    46. Relevant health care information, excluding medical treatment 
information related to drug or alcohol abuse, infection with the human 
immunodeficiency virus or sickle cell anemia, and the names and home 
addresses of veterans and their dependents, may be disclosed by VA 
employees who are designated requesters (individuals who have completed 
a course offered or approved by an Organ Procurement Organization), or 
their designee for the purpose of determining suitability of a 
patient's organs or tissues for organ donation to an Organ Procurement 
Organization, a designated requester that is a non-VA employee, or 
their designees acting on behalf of local Organ Procurement 
Organizations.
    47. Relevant heath care information may be disclosed to DoD, or its 
components, for individuals treated under 38 U.S.C. 8111A for the 
purposes deemed necessary by appropriate military command authorities 
to assure proper execution of the military mission.

[[Page 18435]]

Policies and practices for storing, retrieving, accessing, retaining, 
and disposing of records in the system:
Storage:
    Records are maintained on paper, microfilm, electronic media or 
laser optical media in the consolidated health record at the health 
care facility where care was rendered, in the VA Health Data 
Repository, and at Federal Record Centers. In most cases, copies of 
back-up computer files are maintained at off-site locations. Subsidiary 
record information is maintained at the various respective services 
within the health care facility (e.g., Pharmacy, Fiscal, Dietetic, 
Clinical Laboratory, Radiology, Social Work, Psychology, etc.) and by 
individuals, organizations, and/or agencies with whom VA has a contract 
or agreement to perform such services, as the VA may deem practicable.
    Paper records are currently being relocated from Federal record 
centers to the VA Records Center and Vault. It is projected that all 
paper records will be stored at the VA Records Center and Vault by the 
end of the calendar year 2004.

Retrievability:
    Records are retrieved by name, social security number or other 
assigned identifiers of the individuals on whom they are maintained.

Safeguards:
    1. Access to working spaces and patient medical record storage 
areas in VA health care facilities is restricted to authorized VA 
employees. Generally, file areas are locked after normal duty hours. 
Health care facilities are protected from outside access by the Federal 
Protective Service and/or other security personnel. Access to patient 
medical records is restricted to VA employees who have a need for the 
information in the performance of their official duties. Sensitive 
patient medical records, including employee patient medical records, 
records of public figures, or other sensitive patient medical records 
are generally stored in separate locked files or a similar 
electronically controlled access environment. Strict control measures 
are enforced to ensure that access to and disclosures from these 
patient medical records are limited.
    2. Access to computer rooms within health care facilities is 
generally limited by appropriate locking devices and restricted to 
authorized VA employees and vendor personnel. ADP peripheral devices 
are generally placed in secure areas (areas that are locked or have 
limited access) or are otherwise protected. Only authorized VA 
employees or vendor employees may access information in the system. 
Access to file information is controlled at two levels: the system 
recognizes authorized employees by a series of individually unique 
passwords/codes as a part of each data message, and the employees are 
limited to only that information in the file that is needed in the 
performance of their official duties. Information that is downloaded 
and maintained on personal computers must be afforded similar storage 
and access protections as the data that is maintained in the original 
files. Access by remote data users such as Veteran Outreach Centers, 
Veteran Service Officers (VSO) with power of attorney to assist with 
claim processing, VBA Regional Office staff for benefit determination 
and processing purposes, OIG staff conducting official audits or 
investigations and other authorized individuals is controlled in the 
same manner.
    3. Access to the VA National Data Centers is generally restricted 
to Center employees, custodial personnel, Federal Protective Service 
and other security personnel. Access to computer rooms is restricted to 
authorized operational personnel through electronic locking devices. 
All other persons gaining access to computer rooms are escorted. 
Information stored in the computer may be accessed by authorized VA 
employees at remote locations including VA health care facilities, VA 
Central Office, Veterans Integrated Service Networks (VISNs), and OIG 
Central Office and field staff. Access is controlled by individually 
unique passwords/codes that must be changed periodically by the 
employee.
    4. Access to the VA Health Data Repository (HDR), located at the VA 
National Data Centers, is generally restricted to Center employees, 
custodial personnel, Federal Protective Service and other security 
personnel. Access to computer rooms is restricted to authorized 
operational personnel through electronic locking devices. All other 
persons gaining access to computer rooms are escorted. Information 
stored in the computer may be accessed by authorized VA employees at 
remote locations including VA health care facilities, VA Central 
Office, VISNs, and OIG Central Office and field staff. Access is 
controlled by individually unique passwords/codes that must be changed 
periodically by the employee.
    5. Access to records maintained at VA Central Office, the VA Boston 
Development Center, Chief Information Office Field Offices, and VISNs 
is restricted to VA employees who have a need for the information in 
the performance of their official duties. Access to information stored 
in electronic format is controlled by individually unique passwords/
codes. Records are maintained in manned rooms during working hours. The 
facilities are protected from outside access during non-working hours 
by the Federal Protective Service or other security personnel.
    6. Computer access authorizations, computer applications available 
and used, information access attempts, frequency and time of use are 
recorded.

Retention and disposal:
    In accordance with the records disposition authority approved by 
the Archivist of the United States, paper records and information 
stored on electronic storage media are maintained for 75 years after 
the last episode of patient care then destroyed/deleted.

System manager(S) and address:
    Patient Medical Record: Director, Information Assurance (19F), 
Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 
20420.
    Health Data Repository: Director, Health Data Systems (19-SL), 
Department of Veterans Affairs, 295 Chipeta Way, Salt Lake City, UT 
84108.

Notification procedure:
    An individual who wishes to determine whether a record is being 
maintained in this system under his or her name or other personal 
identifier, or wants to determine the contents of such record, should 
submit a written request or apply in person to the last VA health care 
facility where care was rendered. Addresses of VA health care 
facilities may be found in VA Appendix 1 of the Biennial Publication of 
Privacy Act Issuances. All inquiries must reasonably identify the 
portion of the medical record involved and the place and approximate 
date that medical care was provided. Inquiries should include the 
patient's full name, social security number and return address.

Record access procedure:
    Individuals seeking information regarding access to and contesting 
of VA medical records may write, call or visit the last VA facility 
where medical care was provided.

Contesting record procedures:
    (See Record Access Procedures above.)

Record source categories:
    The patient, family members or accredited representative, and 
friends,

[[Page 18436]]

employers; military service departments; health insurance carriers; 
private medical facilities and health care professionals; state and 
local agencies; other Federal agencies; VA Regional Offices, Veterans 
Benefits Administration automated record systems (including Veterans 
and Beneficiaries Identification and Records Location Subsystem-VA 
(38VA23) and the Compensation, Pension, Education and Rehabilitation 
Records-VA (58VA21/22/28); and various automated systems providing 
clinical and managerial support at VA health care facilities.

[FR Doc. 04-7819 Filed 4-6-04; 8:45 am]
BILLING CODE 8320-01-P