[Federal Register Volume 69, Number 193 (Wednesday, October 6, 2004)]
[Notices]
[Pages 59991-59994]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 04-22437]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of new system of records.

-----------------------------------------------------------------------

SUMMARY: The Privacy Act of 1974 (5 U.S.C. 552a(e)(4)) requires that 
all agencies publish in the Federal Register a notice of the existence 
and character of their systems of records. Notice is hereby given that 
the Department of Veterans Affairs (VA) is establishing a new system of 
records entitled ``My HealtheVet Administrative Records--VA'' 130VA19.

DATES: Comments on this new system of records must be received no later 
than November 5, 2004. If no public comment is received during the 
period allowed for comment or unless otherwise published in the Federal 
Register by VA, the new system will become effective November 5, 2004.

ADDRESSES: Written comments concerning the proposed new system of 
records may be submitted by: Mail or hand-delivery to Director, 
Regulations Management (00REG1), Department of Veterans Affairs, 810 
Vermont Avenue, NW., Room 1068, Washington, DC 20420; fax to (202) 273-
9026; or e-mail to [email protected]. All comments received 
will be available for public inspection in the Office of Regulation 
Policy and Management, Room 1063B, between the hours of 8 a.m. and 4:30 
p.m., Monday through Friday (except holidays). Please call (202) 273-
9515 for an appointment.

FOR FURTHER INFORMATION CONTACT: Veterans Health Administration (VHA) 
Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue, 
NW., Washington, DC 20420, telephone (727) 320-1839.

SUPPLEMENTARY INFORMATION:
    Background: My HealtheVet is a web-based system that provides 
veterans with information and tools that they can use to increase their 
knowledge about health conditions, increase communication with their 
care providers and improve their own health. Participating veterans can 
request on-line prescription refills, view upcoming appointments, and 
check their co-payment balances. Through a web-based environment, the 
VA will also provide a secure and private health space where veterans 
can enter their own medical information in a ``self-entered'' health 
information section, and request a download of copies of key portions 
of their official VA health record. Veterans can personalize this 
private environment with links to explanatory material that may help 
them understand their health record and how to improve their health. As 
My HealtheVet is refined, VA plans to offer more services to veterans, 
such as secure electronic messaging with their VA health care 
providers.
    While VA is the authoritative source of veterans' VA medical 
records, once veterans request copies of key portions of their medical 
records, VA will download the copies into a secure and private health 
space where they are owned and maintained by the veteran.
    The veteran's self-entered health information is also owned and 
maintained by the veteran in the My HealtheVet secure and private 
health space. This self-entered health information is only included in 
the veteran's official VA medical record upon the veteran's request and 
upon the VA's medical determination that it is appropriate to include 
it in the official medical record.
    The VA does not provide access to the veteran's personal health 
information in My HealtheVet in medical emergency situations. However, 
if a non-VA health care provider requires information from VA medical 
records to treat a veteran patient, the non-VA health care provider 
should contact the VA facility where the veteran patient was last 
treated to obtain that information.
    This new on-line environment, which is consistent with existing VA 
clinical practices, allows veterans to share all or part of the 
information in their account with other individuals, such as family 
members, and VA and non-VA health care providers.
    VA will only release the health information in the veteran's 
private and secure health space when authorized to do so by the veteran 
user, except in very limited circumstances. These limited circumstances 
include in response to a court order or a subpoena signed by a judge, 
or in response to a written request from a law enforcement agency. 
Further details about the operation and maintenance of My HealtheVet 
are provided to qualified individuals at the time they register for the 
My HealtheVet program.
    In order to administer the My HealtheVet program and support the 
provision of the above benefits to veterans, VHA is retaining 
administrative information, including personally identifiable 
information, on users and information technology (IT) administrators of 
My HealtheVet electronic services. This administrative information is 
stored in the My HealtheVet Administrative Records System, and 
constitutes a system of records.

I. Description of Proposed System of Records

    The proposed My HealtheVet Administrative Records System contains 
administrative information created or collected during the course of 
operating My HealtheVet, and is provided by veterans and other 
qualified individuals, their delegates and grantees, Veterans Health 
Information Systems and Technology Architecture (VistA) IT systems, VA 
employees, contractors, and subcontractors. At this time, the My 
HealtheVet program is planning to maintain minimal administrative 
records at each local facility, while maintaining more comprehensive 
administrative records at a central location in the VA Austin 
Automation Center. The records kept locally support the local VA My 
HealtheVet training programs, sensitive information reviews and VA's 
annual reporting requirements under the Freedom of Information Act 
(FOIA) for those veterans who sign up for electronic access to copies 
of key portions of their health records.
    The more comprehensive repository of administrative information is 
being housed at the Austin Automation Center (AAC). This information is 
used to support My HealtheVet electronic services, such as requests for 
prescription refill, co-payment and appointment information, entry of 
personal health metrics, and requests for copies of key portions of the 
personal health information on-line. This information may also be used 
for business administrative reports for

[[Page 59992]]

system operators and VA managers to ensure that the My HealtheVet 
system is meeting performance expectations and being used within legal 
boundaries.
    The information needed to support My HealtheVet program activities 
and electronic services includes such information as: The person's full 
name; My HealtheVet User ID; date of birth; e-mail address; telephone 
number; mother's maiden name; zip code; place and date of registration 
for My HealtheVet electronic record access; delegate and grantee user 
IDs associated with My HealtheVet users; level of access to My 
HealtheVet electronic services; date and type of transaction; patient 
integration control number (ICN); and other administrative data needed 
for My HealtheVet roles and services.

II. Proposed Routine Use Disclosures of Data in the System

    These routine uses only apply to the My HealtheVet administrative 
information described in this system of records notice. These routine 
uses do not apply to the veteran's personal health information 
maintained in the private and secure health space which is not owned by 
VA or subject to the system of records requirements. VHA is proposing 
the following routine use disclosures of information to be maintained 
in the system:
    1. Relevant information may be disclosed to individuals, 
organizations, private or public agencies, etc., with whom VA has a 
contract or agreement, including sub-contractors, to perform such 
services as VA may deem practical for the purposes of laws administered 
by VA, in order for the contractor to perform the services of the 
contract or agreement.
    VA must be able to give contractors whatever information is 
necessary to fulfill their duties. In these situations, safeguards are 
provided in the contract prohibiting the contractor from using or 
disclosing the information for any purpose other than that described in 
the contract.
    2. On its own initiative, VA may disclose information, except for 
the names of My HealtheVet users, to a Federal, state, local, tribal or 
foreign agency charged with the responsibility of investigating or 
prosecuting civil, criminal or regulatory violations of law, or charged 
with enforcing or implementing the statute, regulation, rule or order 
issued pursuant thereto. On its own initiative, the VA may also 
disclose the names of My HealtheVet users to a Federal agency charged 
with the responsibility of investigating or prosecuting civil, criminal 
or regulatory violations of law, or charged with enforcing or 
implementing the statute, regulation, rule or order issued pursuant 
thereto.
    VA must be able to comply with the requirements of agencies charged 
with enforcing the law and conducting investigations. VA must also be 
able to provide administrative information to state or local agencies 
charged with protecting the public's health as set forth in state law.
    3. Disclosure may be made to National Archives and Records 
Administration (NARA) for it to perform its records management 
inspection responsibilities and its role as Archivist of the United 
States under authority of Title 44 United States Code (U.S.C.).
    NARA is responsible for archiving old records no longer actively 
used but which may be appropriate for preservation; they are 
responsible in general for the physical maintenance of the Federal 
government's records. VA must be able to turn records over to these 
agencies in order to determine the proper disposition of such records.
    4. Any information in this system of records may be disclosed to 
the United States Department of Justice or United States Attorneys in 
order to prosecute or defend litigation involving or pertaining to the 
United States, or in which the United States has an interest.
    By law, the Department of Justice represents VA in all litigation 
and must be given record access when deemed necessary to provide 
appropriate representation.
    5. Disclosure may be made to a Congressional office from this 
system of records in response to an inquiry from the congressional 
office made at the request of the individual who is the subject of the 
records.
    In special cases, individuals request the help of a member of 
Congress in resolving issues relating to a matter before VA. The member 
of Congress then writes VA, and VA must be able to give sufficient 
information to respond to the inquiry.

III. Compatibility of the Proposed Routine Uses

    The Privacy Act permits VA to disclose information about 
individuals without their consent for a routine use when the 
information, in this case administrative information, will be used for 
a purpose that is compatible with the purpose for which VA collected 
it. In all of the routine use disclosures described above, either the 
recipient of the administrative information will use the information in 
connection with the My HealtheVet program, a matter relating to one of 
VA's programs to provide a benefit to VA, or to meet legal requirements 
for disclosure.
    The notice of intent to publish, and an advance copy of the system 
notice have been sent to the appropriate Congressional committees and 
to the Director of Office of Management and Budget (OMB) as required by 
5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 
77677), December 12, 2000.

    Approved: September 20, 2004.
Anthony J. Principi,
Secretary of Veterans Affairs.
130VA19

SYSTEM NAME:
     My HealtheVet Administrative Records--VA.

SYSTEM LOCATION:
     Veterans Health Administration (VHA) local facilities and the 
Austin Automation Center (AAC), 1615 Woodward Street, Austin, Texas 
78772. Address locations for VA facilities are listed in VA Appendix 1 
of the biennial publications of the VA systems of records.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individuals covered encompass:
    (1) All individuals who successfully register for a My HealtheVet 
account;
    (2) Representatives of the above individuals who have been provided 
grantee or delegate access to My HealtheVet including, but not limited 
to, family members, friends, or VA and non-VA health care providers;
    (3) VA health care providers; and
    (4) VHA Information Technology (IT) staff and/or their contractors 
and subcontractors who may need to enter identifying, administrative 
information into the system to initiate, support and maintain 
electronic services for My HealtheVet participants.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records include personally identifiable information, such as an 
individual's full name; My HealtheVet User Identifier (ID); date of 
birth; social security number; e-mail address; telephone number; 
mother's maiden name; ZIP code; place and date of registration for My 
HealtheVet; delegate and grantee user IDs associated with My HealtheVet 
accounts; level of access to My HealtheVet electronic services; date 
and type of transaction; patient internal control number (ICN); and 
other administrative data needed for My HealtheVet roles and services.

[[Page 59993]]

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 38, United States Code, Section 501.

PURPOSE(S):
    The information in the My HealtheVet Administrative Records is 
needed to operate the My HealtheVet program, in particular, to 
authenticate and register veterans, to authenticate and register other 
appropriate individuals, to authenticate My HealtheVet administrators, 
to retrieve the veteran's information for filling prescription refill 
requests, provide users the ability to view appointments and co-payment 
balances, to extract health information from VistA, and provide other 
associated My HealtheVet electronic services for future phases of the 
My HealtheVet program. The administrative information may also be used 
to create administrative business reports for system operators and VA 
managers who are responsible for ensuring that the My HealtheVet system 
is meeting performance expectations and is in compliance with 
applicable Federal laws and regulations.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    1. Disclosure of information in this system of records may be made 
to private or public sector organizations, individuals, agencies, etc., 
with whom VA has a contract or agreement, including subcontractors, in 
order to administer the My HealtheVet program, or perform other such 
services as VA deems appropriate and practical for the purposes of 
administering VA laws.
    2. On its own initiative, VA may disclose information, except for 
the names of My HealtheVet users and system administrators, to a 
Federal, State, local, tribal or foreign agency charged with the 
responsibility of investigating or prosecuting civil, criminal or 
regulatory violations of law, or charged with enforcing or implementing 
the statute, regulation, rule or order issued pursuant thereto. On its 
own initiative, the VA may also disclose the names of My HealtheVet 
users and system administrators to a Federal agency charged with the 
responsibility of investigating or prosecuting civil, criminal or 
regulatory violations of law, or charged with enforcing or implementing 
the statute, regulation, rule or order issued pursuant thereto.
    3. Disclosure may be made to National Archives and Records 
Administration (NARA) to support its records management inspections 
responsibilities and its role as Archivist of the United States under 
authority of Title 44 United States Code (U.S.C).
    4. Any information in this system of records may be disclosed to 
the United States Department of Justice or United States Attorneys in 
order to prosecute or defend litigation involving or pertaining to the 
United States, or in which the United States has an interest.
    5. Disclosure may be made to a Congressional office from the record 
of an individual in response to an inquiry from the congressional 
office made at the request of that individual.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    These administrative records are maintained on paper and electronic 
media, including hard drive disks, which are backed up to tape at 
regular intervals.

RETRIEVABILITY:
    Records may be retrieved by an individual's name, user ID, date of 
registration for My HealtheVet electronic services, ZIP code, the VA-
assigned ICN, date of birth and/or social security number, if provided.

SAFEGUARDS:
    1. Access to and use of the My HealtheVet Administrative Records 
are limited to those persons whose official duties require such access; 
VA has established security procedures to ensure that access is 
appropriately limited. Information security officers and system data 
stewards review and authorize data access requests. VA regulates data 
access with security software that authenticates My HealtheVet 
administrative users and requires individually unique codes and 
passwords. VA provides information security training to all staff and 
instructs staff on the responsibility each person has for safeguarding 
data confidentiality. VA regularly updates security standards and 
procedures that are applied to systems and individuals supporting this 
program.
    2. Physical access to computer rooms housing the My HealtheVet 
Administrative Records is restricted to authorized staff and protected 
by a variety of security devices. Unauthorized employees, contractors, 
and other staff are not allowed in computer rooms. The Federal 
Protective Service or other security personnel provide physical 
security for the buildings housing computer systems and data centers.
    3. Data transmissions between operational systems and My HealtheVet 
Administrative Records maintained by this system of records are 
protected by telecommunications software and hardware as prescribed by 
VA standards and practices. This includes firewalls, encryption, and 
other security measures necessary to safeguard data as it travels 
across the VA Wide Area Network.
    4. Copies of back-up computer files are maintained at secure off-
site locations.

RETENTION AND DISPOSAL:
    Records are maintained and disposed of in accordance with the 
records disposition authority approved by the Archivist of the United 
States. Records from this system that are needed for audit purposes 
will be disposed of 6 years after a user's account becomes inactive. 
Routine records will be disposed of when the agency determines they are 
no longer needed for administrative, legal, audit, or other operational 
purposes. These retention and disposal statements are pursuant to the 
National Archives and Records Administration (NARA) General Records 
Schedules GRS 20, item 1c and GRS 24, item 6a.

SYSTEM MANAGER(S) AND ADDRESS:
    Official responsible for policies and procedures: Deputy Chief 
Information Officer for Health (19), Department of Veterans Affairs, 
810 Vermont Avenue, NW., Washington, DC 20420. Officials maintaining 
this system of record: The local VA facility (Address locations for VA 
facilities are listed in VA Appendix 1 of the biennial publications of 
the VA systems of records) and the Chief, Technical Infrastructure 
Division (31), Austin Automation Center, 1615 Woodward Street, Austin, 
Texas 78772.

NOTIFICATION PROCEDURE:
    Individuals who wish to determine whether a record is being 
maintained under their name in this system or wish to determine the 
contents of such records have two options:
    1. Submit a written request or apply in person to the VA facility 
where the records are located. VA facility location information can be 
found in the Facilities Locator section of VA's Web site at http://www.va.gov; or
    2. Submit a written request or apply in person to the Chief of the 
Technical Infrastructure Division (31), Austin Automation Center, 1615 
Woodward Street, Austin, Texas 78772.
    Inquiries should include the person's full name, User ID, date of 
birth and return address.

RECORD ACCESS PROCEDURE:
    Individuals seeking information regarding access to and contesting 
of

[[Page 59994]]

records in this system may write or call their local VA facility and/or 
the Chief of the Technical Infrastructure Division (31), Austin 
Automation Center, 1615 Woodward Street, Austin, Texas 78772. If making 
a call, dial (512) 326-6780 to reach the VA Austin Automation Center 
Help Desk and ask to speak with the Chief of the Technical 
Infrastructure Division.

CONTESTING RECORD PROCEDURES:
    (See Record Access Procedures above.)

RECORD SOURCE CATEGORIES:
    The sources of information for this system of records include the 
individuals covered by this notice and an additional contributor, as 
listed below:
    (1) All individuals who successfully register for a My HealtheVet 
account;
    (2) Representatives of the above individuals who have been provided 
access to the private health space by the veteran user, including but 
not limited to, family members, friends, or VA and non-VA health care 
providers;
    (3) VA health care providers;
    (4) VHA IT staff and/or their contractors and subcontractors who 
may need to enter information into the system to initiate, support and 
maintain My HealtheVet electronic services for My HealtheVet users; and
    (5) VistA systems.

[FR Doc. 04-22437 Filed 10-5-04; 8:45 am]
BILLING CODE 8320-01-P