[Federal Register Volume 72, Number 54 (Wednesday, March 21, 2007)]
[Notices]
[Pages 13347-13351]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E7-5135]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of amendment to system of records.

-----------------------------------------------------------------------

SUMMARY: As required by the Privacy Act of 1974 (5 U.S.C. 552a(e), 
notice is hereby given that the Department of Veterans Affairs is 
amending the system of records currently entitled ``Program Evaluation 
Research Data Management Records--VA'' (107VA008B) as set forth in the 
Federal Register 66 FR 29633-35. VA is amending the system by revising 
the System Name; System Location; Categories of Individuals Covered by 
the System; Categories of Records in the System; Purpose(s); Routine 
Uses of Records Maintained in the System, Including Categories of Users 
and the Purposes of Such Uses; Policies and Practices for Storing, 
Retrieving, Accessing, Retaining, and Disposing of Records in the 
System; System Manager and Address(es): Notification Procedures; Record 
Access Procedure(s); Contesting Records Procedures; and Record Source 
Categories. VA will be publishing a new system of records notice to 
cover evaluation of non-health information. VA is republishing the 
system notice in its entirety.

DATES: Comments on the amendment of this system of records must be 
received no later than April 20, 2007. If no public comment is 
received, the new system will become effective April 20, 2007.

ADDRESSES: Written comments may be submitted through http://www.Regulations.gov; by mail or hand-delivery to the Director, 
Regulations Management (00REG), Department of Veterans Affairs, 810 
Vermont Ave., NW., Room 1068, Washington, DC 20420; or by fax to (202) 
273-9026. Copies of comments received will be available for public 
inspection in the Office of Regulation Policy and Management, Room 
1063B, between the hours of 8 a.m. and 4:30 p.m. Monday through Friday 
(except holidays). Please call (202) 273-9515 for an appointment. In 
addition, during the comment period, comments may be viewed online 
through the Federal Docket Management System.

FOR FURTHER INFORMATION CONTACT: Dat Tran, Director, Office of Data 
Development and Analysis, (008A3), U.S. Department of Veterans Affairs, 
810 Vermont Avenue, NW., Washington, DC 20420, (202) 273-6482.

SUPPLEMENTARY INFORMATION:

I. Description of Proposed Systems of Records

    While this System of Records has been amended to reflect the 
current organizational alignment, its number remains 107VA008B. The 
System Name is changed from ``Program Evaluation Research Data 
Management Records--VA'' to ``Health Program Evaluation--VA'' to more 
accurately reflect the scope of activity conducted with data from this 
system of records.

[[Page 13348]]

    This System of Records has been refocused to apply to data gathered 
from all VA components, including protected health information (PHI) 
supplied by the Veterans Health Administration (VHA) that is needed to 
conduct data collection, storage and analyses on behalf of VHA for 
program evaluations, and analysis including descriptions of the 
utilization of services, demographic profiles of service or benefit 
users, utilization projections, forecasting, and trend analyses, and 
other analyses that characterize patterns of utilization, costs, and 
future service needs. A more complete description of the duties and 
activities of Office of Policy and Planning (OPP) are at http://www1.va.gov/op3/docs/008_org.pdf. OPP receives, maintains and uses VHA 
PHI under a Business Associate Agreement (BAA) between VHA and OPP. OPP 
receives, maintains, uses and discloses information from this system of 
records in accordance with these Rules. VHA periodically reviews the 
handling of its data to ensure that the requirements of these Rules are 
met.
    The Safeguards section has been updated to reflect the additional 
security requirements and restrictions on the use of health information 
obtained from the Veterans Health Administration (VHA) in compliance 
with requirements of the Health Insurance Portability and 
Accountability Act (HIPAA) Privacy and Security Rules, 45 CFR Parts 160 
and 164. The Privacy and Security Rules became effective after the date 
of initial publication of this system of records. This portion of the 
amendment documents privacy and security procedures implemented earlier 
to reflect the requirements of these Rules.
    The Department has made minor edits to the System Notice for 
grammar and clarity purposes to reflect plain language, including 
changes to routine uses. These changes are not, and are not intended to 
be, substantive, and are not further discussed or enumerated.

II. Proposed Amendments to Routine Use Disclosures of Data in the 
System

    A statement clarifying that the routine use disclosure statements 
in this system of records does not provide authority for VA to disclose 
individually identifiable health information protected by 38 U.S.C. 
7332 or the Health Insurance Portability and Accountability Act (HIPAA) 
Privacy Rule has been added. This means VA must have disclosure 
authority under 38 U.S.C. 7332, HIPAA, or both, where applicable, 
before disclosure under any routine use for data covered by these 
provisions. Further, routine uses are amended to provide consistency 
with the standards defined by Department of Health and Human Services 
under HIPAA.
    Routine use number 1 clarifies the scope of records that can be 
disclosed.
    Routine use number 2 is clarified as to the scope of records that 
can be disclosed.
    Routine use number 3 is revised to specify the privacy requirements 
and information use safeguards as required by OPP when records are 
shared with other Federal agencies for their use or for OPP information 
matching needs.
    Routine use number 4 is revised to specify the privacy requirements 
and information use safeguards as required by OPP when records are 
shared with contractors, consultants, and collaborating analysts who 
have been engaged by the VA.
    Routine use number 5 specifies that system records may be disclosed 
to the Office of Management and Budget.
    Routine use number 6 states that records may be disclosed to ensure 
data security, and to respond to a suspected compromise of covered 
data, including efforts to remedy any potential harm from the 
compromise. Section 5724 of title 38, United States Code, requires such 
actions. Also, in determining whether to disclose records under this 
routine use, VA will comply with the guidance promulgated by the Office 
of Management and Budget in a May 24, 1985, memorandum entitled 
``Privacy Act Guidance--Update'', currently posted at http://www.whitehouse.gov/omb/inforeg/guidance1985.pdf.
    Routine use number 7 is clarified as to the scope of records that 
can be disclosed to the Department of Justice (DoJ).
    Routine use number 8 is clarified as to the scope of records that 
can be disclosed for law enforcement purposes.

III. Compatibility of the Proposed Routine Uses

    The Privacy Act permits VA to disclose information about 
individuals without their consent for a routine use when the 
information will be used for a purpose that is compatible with the 
purpose for which we collected the information. In all of the routine 
use disclosures described above, the recipient of the information will 
use the information in connection with a matter relating to one of VA's 
programs, will use the information to provide a benefit to VA, or 
disclosure is required by law.
    The notice of intent to publish and an advance copy of the system 
notice have been sent to the appropriate Congressional committees and 
to the Director of the Office of Management and Budget (OMB) as 
required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB 
(65 FR 77677), December 12, 2000.

    Approved: March 6, 2007.
Gordon H. Mansfield,
Deputy Secretary of Veterans Affairs.
107VA008B

System Name:
    Health Program Evaluation--VA.

System Location:
    The system of records is located in office of the Director, Office 
of Data Development and Analysis, (008A3), U.S. Department of Veterans 
Affairs, 810 Vermont Avenue, NW., Washington, DC 20420. Records are 
stored on a secured server computer at the VA Austin Automation Center, 
1615 Woodward Street, Austin, Texas 78722. Records not stored at the VA 
Austin Automation Center are stored on electronic media or laser 
optical media in a combination-protected safe which is secured inside a 
key-accessed room at the U.S. Department of Veterans Affairs, 810 
Vermont Avenue, NW., Washington, DC, 20420. Records necessary for a 
contractor to perform analyses under a contract are located at the 
respective contractor's secure facility.

Categories of Individuals Covered by the System:
    1. Veterans who have applied for healthcare services or benefits 
under Title 38, United States Code.
    2. Veterans' spouse, surviving spouse, previous spouse, children, 
and parents who have applied for healthcare services or benefits under 
Title 38, United States Code.
    3. Beneficiaries of other Federal agencies or other governmental 
entities.
    4. Individuals examined or treated under contract or resource 
sharing agreements.
    5. Individuals examined or treated for research or donor purposes.
    6. Individuals who have applied for Title 38 benefits but who do 
not meet the requirements under Title 38 to receive such benefits.
    7. Individual who were provided medical care under emergency 
conditions for humanitarian reasons.
    8. Pensioned members of allied forces provided healthcare services 
under Title 38, United States Code.

Categories of Records in the System:
    Records include identification numbers, contact and location 
information, demographic information, military service descriptions, 
residency characteristics, economic information, healthcare visit 
descriptions, patient

[[Page 13349]]

assessments, medical test descriptions and results, diagnoses, 
disability assessments, treatments, pharmaceutical information, service 
utilization and associated medical staffing and resource costs, 
entitlements or benefits, patient survey results, and health status. 
The records include information created or collected during the course 
of normal clinical operations work and is provided by patients, 
employers, students, volunteers, contactors, subcontractors, and 
consultants. In addition, records also include social security numbers, 
military service numbers, claim or file numbers, and DoD's 
identification numbers.

Authority for Maintenance of the System:
    38 U.S.C 527.

Purpose(s):
    Health-related qualitative, quantitative, and actuarial analyses 
and projections to support policy analyses and recommendations to 
improve VA services for veterans and their families. Analysis and 
review of policy and long-term planning issues affecting veterans 
programs to support legislative, regulatory and policy recommendations 
and initiatives.

Routine Uses of Records Maintained in the System, Including Categories 
of Users and the Purposes of Such Uses:
    To the extent that records contained in the system include 
information protected by 45 CFR parts 160 and 164, i.e., individually 
identifiable health information, 38 U.S.C. 7332, i.e., medical 
treatment information related to drug abuse, alcoholism or alcohol 
abuse, sickle cell anemia or infection with the human immunodeficiency 
virus, or both, that information cannot be disclosed under a routine 
use unless there is also specific statutory authority in 38 U.S.C. 7332 
and regulatory authority in 45 CFR parts 160 and 164 permitting 
disclosure.
    1. Any system records disclosure may be made to a Member of 
Congress or to a Congressional staff member in response to an inquiry 
of the Congressional office made at the written request of the 
constituent about whom the record is maintained.
    2. Any system records disclosure may be made to the National 
Archives and Records Administration as required in records management 
inspections under title 44 U.S.C.
    3. Any system records may be disclosed to a Federal agency for the 
conduct of research and data analysis to perform a statutory purpose of 
that Federal agency upon the prior written request of that agency, 
provided that there is legal authority under all applicable 
confidentiality statutes and regulations to provide the data and OPP 
has determined prior to the disclosure that OPP data handling 
requirements are satisfied. OPP may disclose limited individual 
identification information to another Federal agency for the purpose of 
matching and acquiring information held by that agency for OPP to use 
for the purposes stated for this system of records.
    4. Any system records may be disclosed to individuals, 
organizations, private or public agencies, or other entities or 
individuals with whom VA has a contract or agreement to perform such 
services as VA may deem practicable for the purposes of laws 
administered by VA, in order for the contractor, subcontractor, public 
or private agency, or other entity or individual with whom VA has an 
agreement or contract to perform the services of the contract or 
agreement. This routine use includes disclosures by the individual or 
entity performing the service for VA to any secondary entity or 
individual to perform an activity that is necessary for individuals, 
organizations, private or public agencies, or other entities or 
individuals with whom VA has a contract or agreement to provide the 
service to VA.
    5. Any system records may be disclosed to the Office of Management 
and Budget in order for them to perform their statutory 
responsibilities of evaluating Federal programs.
    6. Any records may be disclosed to appropriate agencies, entities, 
and persons under the following circumstances: When (1) it is suspected 
or confirmed that the security or confidentiality of information in the 
system of records has been compromised; (2) the Department has 
determined that as a result of the suspected or confirmed compromise 
there is a risk of embarrassment or harm to the reputations of the 
record subjects, harm to economic or property interests, identity theft 
or fraud, or harm to the security or integrity of this system or other 
systems or programs (whether maintained by the Department or another 
agency or entity) that rely upon the compromised information; and (3) 
the disclosure is made to such agencies, entities, and persons who are 
reasonably necessary to assist in connection with the Department's 
efforts to respond to the suspected or confirmed compromise and 
prevent, minimize, or remedy such harm.
    7. VA may disclose information in this system of records to the 
Department of Justice, either on VA's initiative or in response to 
DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that disclosure of the records to the 
Department of Justice is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records. VA, on its own initiative, may disclose records in this system 
of records in legal proceedings before a court or administrative body 
after determining that the disclosure of the records to the court or 
administrative body is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records.
    In determining whether to disclose records under this routine use, 
VA will comply with the guidance promulgated by the Office of 
Management and Budget in a May 24, 1985, memorandum entitled ``Privacy 
Act Guidance--Update'', currently posted at http://www.whitehouse.gov/omb/inforeg/guidance1985.pdf.
    8. VA may disclose on its own initiative any information in this 
system, except the names and home addresses of veterans and their 
dependents, which is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal or regulatory in nature, and 
whether arising by general or program statute or by regulation, rule or 
order issued pursuant thereto, to a Federal, State, local, tribal, or 
foreign agency charged with the responsibility of investigating or 
prosecuting such violation, or charged with enforcing or implementing 
the statute, regulation, rule or order. On its own initiative, VA may 
also disclose the names and addresses of veterans and their dependents 
to a Federal agency charged with the responsibility of investigating or 
prosecuting civil, criminal or regulatory violations of law, or charged 
with enforcing or implementing the statute, regulation, rule or order 
issued pursuant thereto.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, 
and Disposing of Records in the System:
Storage:
    VA sensitive information, including individually identifiable 
health information, is stored on electronic media, laser optical media, 
on a segregated secure server or in paper form. Data stored on a secure 
server are located at the Austin Automation Center. Electronic media, 
or laser

[[Page 13350]]

optical media data are kept locked in a safe when not in immediate use. 
The safe is secured inside a key-accessed room at OPP. Information 
stored on paper is kept locked in file cabinets when not in immediate 
use. Databases are temporarily placed on a secured server inside a 
restricted network area for data match purposes only. Information that 
resides on a segregated server is kept behind locked doors with limited 
access. Requestors of OPP stored health information within VA, or from 
external individuals, contractors, organizations, and/or agencies with 
whom VA has a contract or agreement, must provide an equivalent level 
of security protection and comply with all applicable VA policies and 
procedures for storage and transmission as codified in VA directives 
such as but not limited to VA Directive 6504.

Retrievability:
    Individually-identified health care information is kept in two 
forms. The first form is the original data file containing the names 
and social security numbers of the record subjects. OPP assigns unique 
codes derived from social security numbers to these individual records 
prior to conducting analyses on the data. The encryption key for social 
security numbers and other numerical identifiers of the individuals is 
stored in a safe in OPP. The original records may be retrieved using 
social security numbers, military service number, claim or file number, 
DoD's identification numbers, or other personal numerical identifiers. 
The records containing the encrypted identifiers may be retrieved only 
by those identifiers.

Safeguards:
    This list of safeguards furnished in this System of Record is a 
general statement of measures taken to protect health information. For 
example, HIPAA guidelines for protecting health information will be 
followed and OPP will adopt evolving health care industry best 
practices in order to provide adequate safeguards. Further, VA policy 
directives that specify the standards that will be applied to protect 
health information will be provided to VA staff and contractors through 
mandatory data privacy and security training.
    Access to data storage areas is restricted to authorized VA 
employee or contract staff who have been cleared to work by the VA 
Office of Security and Law Enforcement. Health information file areas 
are locked after normal duty hours. VA facilities are protected from 
outside access by the Federal Protective Service and/or other security 
personnel.
    Access to health information provided by the Veterans Health 
Administration (VHA) pursuant to a Business Associate Agreement (BAA) 
is restricted to those OPP employees and contractors who have a need 
for the information in the performance of their official duties related 
to the terms of the BAA. As a general rule, full sets of health care 
information are not provided for use unless authorized by the OPP 
Assistant Secretary. File extracts provided for specific official uses 
will be limited to the minimum necessary amount and contain only the 
information fields needed for the analysis. Data used for analyses will 
have individual identifying characteristics removed whenever possible.
    Security complies with applicable Federal Information Processing 
Standards (FIPS) issued by the National Institute of Standards and 
Technology (NIST). Health information files containing unique 
identifiers such as social security numbers are encrypted to NIST-
verified FIPS 140-2 standard or higher for storage, transport, or 
transmission. All files stored or transmitted on laptops, workstations, 
data storage devices and media are encrypted. Files are kept encrypted 
at all times except when data is in immediate use, per specifications 
by VA Office of Information Technology. NIST publications were 
consulted in development of security for this system of records.
    Contractors and their subcontractors are required to maintain the 
same level of security as VA staff for health care information that has 
been disclosed to them. Any data disclosed to a contractor or 
subcontractor to perform authorized analyses requires the use of Data 
Use Agreements, Non-Disclosure Statements and Business Associates 
Agreements to protect health information. Unless explicitly authorized 
in writing by the VA, sensitive or protected data made available to the 
contractor and subcontractors shall not be divulged or made known in 
any manner to any other person. Other federal or state agencies 
requesting health care information need to execute Data Use Agreements 
to protect data.
    OPP's work area is accessed for business-only needs. For data that 
is not stored on a secure server, the data is stored in a combination-
protected safe which is secured inside a limited access room. Direct 
access to the safe is controlled by select individuals who possess 
background security clearances. Only a few employees with strict 
business needs or ``need-to-know'' access and completed background 
checks will ever handle the data once it is removed from the safe for 
data match purposes.

Retention and Disposal:
    Records are maintained and disposed of in accordance with records 
disposition authority approved by the Archivist of the United States. 
If the Archivist has not approved disposition authority for any records 
covered by the system notice, the System Manager will take immediate 
action to have the disposition of records in the system reviewed and 
paperwork initiated to obtain an approved records disposition authority 
in accordance with VA Handbook 6300.1, Records Management Procedures. 
OPP will publish an amendment to this notice upon issuance of NARA-
approved disposition authority. The records may not be destroyed until 
VA obtains an approved records disposition authority. OPP destroys 
electronic files when no longer needed for administrative, legal, 
audit, or other operational purposes. In accordance with title 36 CFR 
1234.34, Destruction of Electronic Records, ``electronic records may be 
destroyed only in accordance with a records disposition schedule 
approved by the Archivist of the United States, including General 
Records Schedules.''

System Manager(s) and Address(es):
    Director, Office of Data Development and Analysis, (008A3), U.S. 
Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 
20420.

Notification Procedure:
    An individual who wishes to determine whether a record is being 
maintained in this system under his or her name or other personal 
identifier, or wants to determine the contents of such record, should 
submit a written request to the Director, Office of Data Development 
and Analysis, (008A3), U.S. Department of Veterans Affairs, 810 Vermont 
Avenue, NW., Washington, DC 20420. Such requests must contain a 
reasonable description of the records requested. All inquiries must 
reasonably identify the health care information involved and the 
approximate date that medical care was provided. Inquiries should 
include the patient's full name, social security number, telephone 
number and return address.

Record Access Procedures:
    Individuals seeking information regarding access to and contesting 
of VA health information maintained by the Office of Policy and 
Planning may send a request by mail to the Director, Data Development 
and Analysis Service, (008A3), Department of Veterans

[[Page 13351]]

Affairs, 810 Vermont Ave., Washington, DC 20420

Contesting Records Procedures:
    (See Notification procedure above.)

Record Source Categories:
    Information is obtained from VHA and other VA staff offices and 
Administrations, OPP's National Survey of Veterans, national surveys 
(e.g., National Long Term Care Survey, National Health Interview 
Survey), Federal agencies (e.g., Department of Defense, Department of 
Health and Human Services), state agencies, and other private and 
public health provider or insurance programs and plans.

 [FR Doc. E7-5135 Filed 3-20-07; 8:45 am]
BILLING CODE 8320-01-P