[Federal Register Volume 74, Number 222 (Thursday, November 19, 2009)]
[Notices]
[Pages 60040-60047]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-27786]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA)

ACTION: Notice of amendment to system of records.

-----------------------------------------------------------------------

SUMMARY: As required by the Privacy Act of 1974, 5 U.S.C. 552a(e), 
notice is hereby given that the Department of Veterans Affairs (VA) is 
amending the system of records currently entitled ``Patient Medical 
Records-VA'' (24VA19) as set forth in the Federal Register, 69 FR 18428 
(Apr. 7, 2004). VA is amending the system by revising the Categories of 
Records in the System, and Routine Uses of Records Maintained in the 
System, Including Categories of Users and the Purposes of Such Uses; 
and Policies and Practices for Storing, Retrieving, Accessing, 
Retaining, and Disposing of Records in the System. VA is republishing 
the system notice in its entirety.

DATES: Comments on the amendment of this system of records must be 
received no later than December 21, 2009. If no public comment is 
received, the amended system will become effective December 21, 2009.

ADDRESSES: Written comments may be submitted through http://www.Regulations.gov; by mail or hand-delivery to Director, Regulations 
Management (02REG), Department of Veterans Affairs, 810 Vermont Avenue, 
NW., Room 1068, Washington, DC 20420; or by fax to (202) 273-9026. 
(This is not a toll-free number). Copies of comments received will be 
available for public inspection in the Office of Regulation Policy and 
Management, Room 1063B, between the hours of 8 a.m. and 4:30 p.m., 
Monday through Friday (except holidays). Please call (202) 461-4902 
(this is not a toll-free number) for an appointment. In addition, 
during the comment period, comments may be viewed online through the 
Federal Docket Management System (FDMS) at http://www.Regulations.gov.

FOR FURTHER INFORMATION CONTACT: Veterans Health Administration (VHA) 
Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue, 
NW., Washington, DC 20420; telephone (704) 245-2492.

SUPPLEMENTARY INFORMATION: The Patient Medical Records-VA (24VA19) 
system of records is amended to clarify the records in the system, to 
clarify records storage, and to clarify and add routine use disclosure 
statements.
    Categories of Records in the System is amended to reflect 
subsidiary record information such as minimum data sets (MDS) being 
included in the consolidated health record (CHR).
    Practices for Storing, Retrieving, Accessing, Retaining, and 
Disposing of Records in the System is amended to reflect records being 
maintained on electronic media, which includes images and scanned 
documents.
    Routine use thirteen (13) is amended to add the phrase ``or 
designee, such as the Medical Center Director of the facility where the 
information is maintained'' after ``Under Secretary for Health.'' This 
language clarifies that designated individuals may approve the 
disclosure of information from records maintained at their facilities 
for the purpose of research.
    Routine use fourteen (14) is amended to add the language ``health 
information, including.'' This language clarifies that not only names 
and addresses of veterans but any health information about veterans may 
also be disclosed for Federal research.
    Routine use fifteen (15) is amended to permit disclosure to the 
Department of

[[Page 60041]]

Justice or other Federal agencies in litigation or other administrative 
or adjudicative proceedings that involve VA, a VA employee, or the 
Federal government. This language clarifies that, in addition to 
judicial proceedings in which VA is a party, information may be 
disclosed in non-judicial administrative or adjudicative proceedings 
and in proceedings where the Federal government is a party.
    Routine use twenty-one (21) is amended to clarify that, consistent 
with Sec.  7332, disclosure that a patient is infected with the human 
immunodeficiency virus may be made to an individual identified by the 
patient during counseling or testing for the virus as a sexual partner.
    Routine use twenty-three (23) is amended to delete the phrase ``the 
acceptance of'' in order to clarify that a health care provider's 
surrender of or restriction on his or her privileges may not be a 
material factor in the decision to report the practitioner to the 
National Practitioner Data Bank or a State Licensing Board.
    Routine use forty-three (43) is amended to add the language 
``private health care providers or hospitals, DoD, or IHS providers.'' 
This language clarifies that VHA may disclose health information to all 
non-VA health care providers, including Federal, private, and public 
providers, for the purpose of treating veterans.
    Routine use forty-six (46) is amended to delete the language 
excluding medical treatment information related to drug or alcohol 
abuse, infection with the human immunodeficiency virus, or sickle cell 
anemia, and the names and home addresses of veterans and their 
dependents from the routine use. Congress enacted legislation to allow 
for the disclosure of information protected by 38 U.S.C. 5701 and 7332 
to organ procurement organizations for the purpose of determining 
suitability of patients' organs or tissues for organ donation when 
death is imminent. This routine use allows VHA to honor the wishes of 
veterans to be organ donors.
    Routine use forty-seven (47) is amended to clarify that the 
disclosure of information to DoD with respect to the transition, health 
care, benefits, and administrative needs of or for active duty service 
members or reserve components, veterans, and their beneficiaries is not 
limited to times of war or national emergency.
    The following routine use disclosure statements are added:
    Routine use forty-eight (48) states that disclosure to other 
Federal agencies may be made to assist those agencies in preventing and 
detecting possible fraud or abuse by individuals in their operations 
and programs. This routine use permits disclosures by the Department to 
report or respond to a suspected or confirmed incident of identity 
theft and provide information and/or documentation related to or in 
support of the reported incident.
    Routine use forty-nine (49) states that VA may, on its own 
initiative, disclose any information or records to appropriate 
agencies, entities, and persons when (1) VA suspects or has confirmed 
that the integrity or confidentiality of information in the system of 
records has been compromised; (2) the Department has determined that as 
a result of the suspected or confirmed compromise, there is a risk of 
embarrassment or harm to the reputations of the record subjects, harm 
to economic or property interests, identity theft or fraud, or harm to 
the security, confidentiality, or integrity of this system or other 
systems or programs (whether maintained by the Department or another 
agency or entity) that rely upon the potentially compromised 
information; and (3) the disclosure is to agencies, entities, or 
persons whom VA determines are reasonably necessary to assist or carry 
out the Department's efforts to respond to the suspected or confirmed 
compromise and prevent, minimize, or remedy such harm. This routine use 
permits disclosures by the Department to report or respond to a 
suspected or confirmed data breach, including the conduct of any risk 
analysis or provision of credit protection services as provided in 38 
U.S.C. 5724, as the terms are defined in Sec.  5727.
    Routine use fifty (50) states that information may be disclosed 
from this system of records to any third party or Federal agency, 
including contractors to those parties, that is responsible for payment 
of the cost of medical care for the identified patients, in support of 
VA recovery of medical care costs or for any activities related to 
payment of medical care costs. These records may also be disclosed as 
part of a computer matching program to accomplish these purposes. This 
routine use permits disclosure to third party payers or their 
contractors for purposes relating to audit of payment and claims 
management processes.
    Routine use fifty-one (51) states that relevant information from 
this system of records may be disclosed to a quality review and/or peer 
review organization in connection with the audit of claims or other 
review activities, to determine quality of care or compliance with 
professionally accepted claims processing standards. This routine use 
permits disclosure of information for quality assessment audits 
received by Healthcare Effectiveness Data and Information Set or 
similar auditors.
    Routine use fifty-two (52) permits the disclosure of health care 
information as deemed necessary and proper to Federal, State, and local 
government agencies and national health organizations in order to 
assist in the development of programs that will be beneficial to 
claimants, protect their rights under law, and ensure that they are 
receiving all benefits to which they are entitled. This routine use 
allows VHA to provide initial and follow-up abstracts to state central 
cancer registries charged with the protection of public health. A 
follow-up cancer abstract is generated by the state central cancer 
registry to the provider who initially reported the cancer case. The 
American College of Surgeons, Commission on Cancer, requires a 90% 
follow-up on all cancer patients for purposes of accreditation which in 
turn demonstrates a high-quality cancer program.
    Routine use fifty-three (53) authorizes the disclosure of 
information to a former VA employee or contractor, as well as the 
authorized representative of a current or former employee or contractor 
of VA, in defense or reasonable anticipation of litigation against the 
individual regarding health care provided during his or her employment 
or contract with VA.
    Routine use fifty-four (54) permits such disclosure when the former 
employee's or contractor's information or consultation assistance is 
necessary in a pending or reasonably anticipated tort claim, 
litigation, or other administrative or judicial proceeding that 
involves VA.
    Routine use fifty-five (55) allows such disclosure in connection 
with or consideration of the reporting of that individual to the 
National Practitioner Data Bank or a state licensing board with respect 
to the payment of a medical malpractice settlement, a decision relating 
to possible incompetence or improper professional conduct, or surrender 
or restriction of privileges while under investigation.
    Routine use fifty-six (56) authorizes such disclosure in connection 
with or in consideration of reporting that individual to a state 
licensing board for failure to conform to generally accepted standards 
of professional medical practice.
    Routine use fifty-seven (57) also permits such disclosure in 
administrative proceedings before the Equal Employment Opportunity 
Commission.

[[Page 60042]]

    Finally, routine use fifty-eight (58) authorizes such disclosure in 
administrative proceedings before the Merit Systems Protection Board or 
the Office of the Special Counsel.
    The Department has also made minor edits to the system notice, 
including routine uses, for grammar and clarity purposes. These changes 
are not, and are not intended to be, substantive.
    The Report of Intent to Amend a System on Records Notice and an 
advance copy of the system notice have been sent to the appropriate 
Congressional committees and to the Director of the Office of 
Management and Budget (OMB) as required by the Privacy Act, 5 U.S.C. 
552a(r), and guidelines issued by OMB, 65 FR 77677, (Dec. 12, 2000).

    Approved: October 30, 2009.
John R. Gingrich,
Chief of Staff, Department of Veterans Affairs.
24VA19

SYSTEM NAME:
    Patient Medical Records-VA

SYSTEM LOCATION:
    Records are maintained at each VA health care facility (in most 
cases, back-up information is stored at off-site locations). Subsidiary 
record information is maintained at the various respective services 
within the health care facility (e.g., Pharmacy, Fiscal, Dietetic, 
Clinical Laboratory, Radiology, Social Work, Psychology) and by 
individuals, organizations, and/or agencies with which VA has a 
contract or agreement to perform such services, as VA may deem 
practicable.
    Address locations for VA facilities are listed in Appendix 1 of the 
biennial publication of the VA Privacy Act Issuances. In addition, 
information from these records or copies of these records may be 
maintained at the Department of Veteran Affairs Central Office, 810 
Vermont, NW., Washington, DC 20420; VA National Data Centers; VA Health 
Data Repository (HDR), located at the VA National Data Centers; VA 
Chief Information Office (CIO) Field Offices; Veterans Integrated 
Service Networks; and Regional and General Counsel Offices.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    1. Veterans who have applied for health care services under Chapter 
17 of Title 38, United States Code, and members of their immediate 
families;
    2. Spouses, surviving spouses, and children of veterans who have 
applied for health care services under Chapter 17 of Title 38, United 
States Code;
    3. Beneficiaries of other Federal agencies;
    4. Individuals examined or treated under contract or resource 
sharing agreements;
    5. Individuals examined or treated for research or donor purposes;
    6. Individuals who have applied for Title 38 benefits but who do 
not meet the requirements under Title 38 to receive such benefits;
    7. Individuals who were provided medical care under emergency 
conditions for humanitarian reasons; and
    8. Pensioned members of allied forces provided health care services 
under Chapter I of Title 38, United States Code.

Categories of records in the system:
    The patient medical record is a consolidated health record (CHR) 
which may include:
    (i) An administrative (non-clinical information) record (e.g., 
medical benefit application and eligibility information) including 
information obtained from Veterans Benefits Administration automated 
records such as the Veterans and Beneficiaries Identification and 
Records Locator Subsystem-VA (38VA23) and the Compensation, Pension, 
Education and Rehabilitation Records-VA (58VA21/22/28), and 
correspondence about the individual;
    (ii) A medical record (a cumulative account of sociological, 
diagnostic, counseling, rehabilitation, drug and alcohol, dietetic, 
medical, surgical, dental, psychological, and/or psychiatric 
information compiled by VA professional staff and non-VA health care 
providers), and
    (iii) Subsidiary record information (e.g., tumor registry, minimum 
data set, dental, pharmacy, nuclear medicine, clinical laboratory, 
radiology, and patient scheduling information). The consolidated health 
record may include identifying information (e.g., name, address, date 
of birth, VA claim number, social security number); military service 
information (e.g., dates, branch and character of service, service 
number, medical information); family information (e.g., next of kin and 
person to notify in an emergency; address information, name, social 
security number and date of birth for veteran's spouse and dependents; 
family medical history information); employment information (e.g., 
occupation, employer name and address); financial information (e.g., 
family income; assets; expenses; debts; amount and source of income for 
veteran, spouse, and dependents); third-party health plan contract 
information (e.g., health insurance carrier name and address, policy 
number, amounts billed and paid); and information pertaining to the 
individual's medical, surgical, psychiatric, dental, and/or 
psychological examination, evaluation, and/or treatment (e.g., 
information related to the chief complaint and history of present 
illness; information related to physical, diagnostic, therapeutic 
special examinations; clinical laboratory, pathology and x-ray 
findings; operations; medical history; medications prescribed and 
dispensed; treatment plan and progress; consultations; photographs 
taken for identification and medical treatment; education and research 
purposes; facility locations where treatment is provided; observations 
and clinical impressions of health care providers to include identity 
of providers and to include, as appropriate, the present state of the 
patient's health; and an assessment of the patient's emotional, 
behavioral, and social status, as well as an assessment of the 
patient's rehabilitation potential and nursing care needs). Abstract 
information (e.g., environmental, epidemiological and treatment regimen 
registries) is maintained in auxiliary paper and automated records.

Authority for maintenance of the system:
    Title 38, United States Code, Sections 501(b) and 304.

PURPOSE(S):
    The paper and automated records may be used for such purposes as: 
Ongoing treatment of the patient; documentation of treatment provided; 
payment; health care operations such as producing various management 
and patient follow-up reports; responding to patient and other 
inquiries; for epidemiological research and other health care related 
studies; statistical analysis, resource allocation and planning; 
providing clinical and administrative support to patient medical care; 
determining entitlement and eligibility for VA benefits; processing and 
adjudicating benefit claims by Veterans Benefits Administration 
Regional Office (VARO) staff; for audits, reviews, and investigations 
conducted by staff of the health care facility, the networks, VA 
Central Office, and the VA Office of Inspector General (OIG); sharing 
of health information between and among Veterans Health Administration 
(VHA), Department of Defense (DoD), Indian Health Services (IHS), and 
other government and private industry health care organizations; law 
enforcement investigations; quality assurance audits,

[[Page 60043]]

reviews, and investigations; personnel management and evaluation; 
employee ratings and performance evaluations; and employee disciplinary 
or other adverse action, including discharge; advising health care 
professional licensing or monitoring bodies or similar entities of 
activities of VA and former VA health care personnel; accreditation of 
a facility by an entity such as the Joint Commission (JCAHO); and 
notifying medical schools of medical students' performance and billing.

Routine uses of records maintained in the system, including categories 
of users and the purposes of such uses:
    To the extent that records contained in the system include 
information protected by 45 CFR parts 160 and 164, i.e., individually 
identifiable health information, and 38 U.S.C. 7332, i.e., medical 
treatment information related to drug abuse, alcoholism or alcohol 
abuse, sickle cell anemia, or infection with the human immunodeficiency 
virus, that information may not be disclosed under a routine use unless 
there is also specific statutory authority in 38 U.S.C. 7332 and 
regulatory authority in 45 CFR parts 160 and 164 permitting disclosure.
    1. VA may disclose health care information as deemed necessary and 
proper to Federal, State, and local government agencies and national 
health organizations in order to assist in the development of programs 
that will be beneficial to claimants, protect their rights under law, 
and assure that they are receiving all benefits to which they are 
entitled.
    2. VA may disclose health care information furnished and the period 
of care, as deemed necessary and proper to accredited service 
organization representatives and other approved agents, attorneys, and 
insurance companies to aid claimants whom they represent in the 
preparation, presentation, and prosecution of claims under laws 
administered by VA, or State or local agencies.
    3. VA may disclose on its own initiative any information, except 
the names and addresses of veterans and their dependents, that is 
relevant to a suspected or reasonably imminent violation of law, 
whether civil, criminal, or regulatory in nature, and whether arising 
by general or program statute or by regulation, rule, or order issued 
pursuant thereto, to a Federal, State, local, tribal, or foreign agency 
charged with the responsibility of investigating or prosecuting such 
violation, or charged with enforcing or implementing the statute, 
regulation, rule, or order. On its own initiative, VA may also disclose 
the names and addresses of veterans and their dependents to a Federal 
agency charged with the responsibility of investigating or prosecuting 
civil, criminal, or regulatory violations of law, or charged with 
enforcing or implementing the statute, regulation, rule, or order 
issued pursuant thereto.
    4. VA may disclose information to a Federal agency or the District 
of Columbia government, in response to its request, in connection with 
the hiring or retention of an employee and the issuance of a security 
clearance as required by law, the reporting of an investigation of an 
employee, or the issuance of a license, grant, or other benefit by the 
requesting agency, to the extent that the information is relevant and 
necessary to the requesting agency's decision.
    5. Health care information may be disclosed by appropriate VA 
personnel to the extent necessary and on a need-to-know basis, 
consistent with good medical-ethical practices, to family members and/
or the person(s) with whom the patient has a meaningful relationship.
    6. In response to an inquiry from a member of the general public 
about a named individual, VA may disclose the patient's name, presence 
(and location when needed for visitation purposes) in a medical 
facility, and general condition that does not reveal specific medical 
information (e.g., satisfactory, seriously ill).
    7. In the course of presenting evidence to a court, magistrate, or 
administrative tribunal in matters of guardianship, inquests, and 
commitments, VA may disclose relevant information to private attorneys 
representing veterans rated incompetent in conjunction with issuance of 
certificates of incompetency and to probation and parole officers in 
connection with court-required duties.
    8. VA may disclose relevant information to a guardian ad litem in 
relation to his or her representation of a claimant in any legal 
proceeding.
    9. VA may disclose information to a member of Congress or a 
congressional staff member in response to an inquiry from the 
congressional office made at the request of that individual.
    10. VA may disclose name(s) and address(es) of present or former 
members of the armed services and/or their dependents under certain 
circumstances: (a) To any nonprofit organization, if the release is 
directly connected with the conduct of programs and the utilization of 
benefits under Title 38, or (b) to any criminal or civil law 
enforcement governmental agency or instrumentality charged under 
applicable law with the protection of the public health or safety, if a 
qualified representative of such organization, agency, or 
instrumentality has made a written request for such name(s) or 
address(es) for a purpose authorized by law, provided that the records 
will not be used for any purpose other than that stated in the request 
and that the organization, agency, or instrumentality is aware of the 
penalty provision of 38 U.S.C. 5701(f).
    11. VA may disclose the nature of the patient's illness, probable 
prognosis, estimated life expectancy, and need for the presence of the 
related service member to the American Red Cross for the purpose of 
justifying emergency leave.
    12. VA may disclose relevant information to attorneys, insurance 
companies, employers, third parties liable or potentially liable under 
health plan contracts, and courts, boards, or commissions, to the 
extent necessary to aid VA in the preparation, presentation, and 
prosecution of claims authorized under Federal, State, or local laws, 
and regulations promulgated thereunder.
    13. VA may disclose health information for research purposes 
determined to be necessary and proper to epidemiological and other 
research entities approved by the Under Secretary for Health or 
designee, such as the Medical Center Director of the facility where the 
information is maintained.
    14. VA may disclose health information, including the name(s) and 
address(es) of present or former personnel of the Armed Services and/or 
their dependents, (a) to a Federal department or agency or (b) directly 
to a contractor of a Federal department or agency, at the written 
request of the head of the agency or the designee of the head of that 
agency, to conduct Federal research necessary to accomplish a statutory 
purpose of an agency. When this information is to be disclosed directly 
to the contractor, VA may impose applicable conditions on the 
department, agency, and/or contractor to ensure the appropriateness of 
the disclosure to the contractor.
    15. VA may disclose relevant information to the Department of 
Justice or other Federal agencies in pending or reasonably anticipated 
litigation or other proceedings before a court, administrative body, or 
other adjudicative tribunal, when:
    (a) VA or any subdivision thereof;
    (b) Any VA employee in his or her official capacity;
    (c) Any VA employee in his or her individual capacity, where DoJ 
has agreed to represent the employee; or

[[Page 60044]]

    (d) The United States, where VA determines that the proceedings are 
likely to affect the operations of VA or any of its components is a 
party to or has an interest in the proceedings, and VA determines that 
the records are relevant and necessary to the proceedings.
    16. Health care information may be disclosed by the examining VA 
physician to a non-VA physician when that non-VA physician has referred 
the individual to VA for medical care.
    17. VA may disclose records to the National Archives and Records 
Administration and the General Services Administration in records 
management inspections and other activities conducted under Title 44.
    18. VA may disclose health care information concerning a non-
judicially declared incompetent patient to a third party upon the 
written authorization of the patient's next of kin in order for the 
patient or, consistent with the best interest of the patient, a member 
of the patient's family, to receive a benefit to which the patient or 
family member is entitled or to arrange for the patient's discharge 
from a VA medical facility. Sufficient information to make an informed 
determination will be made available to such next of kin. If the 
patient's next of kin is not reasonably accessible, the chief of staff, 
director, or designee of the custodial VA medical facility may make the 
disclosure for these purposes.
    19. VA may disclose information to a Federal agency, a state or 
local government licensing board, and/or the Federation of State 
Medical Boards or a similar non-governmental entity that maintains 
records concerning individuals' employment histories or concerning the 
issuance, retention, or revocation of licenses, certifications, or 
registration necessary to practice an occupation, profession, or 
specialty, to inform the entity about the health care practices of a 
terminated, resigned, or retired health care employee whose 
professional health care activity so significantly failed to conform to 
generally accepted standards of professional medical practice as to 
raise reasonable concern for the health and safety of patients in the 
private sector or from another Federal agency. These records may also 
be disclosed as part of an ongoing computer matching program to 
accomplish these purposes.
    20. VA may disclose information maintained in connection with the 
performance of any program or activity relating to infection with the 
Human Immunodeficiency Virus (HIV) to a Federal, State, or local public 
health authority that is charged under Federal or State law with the 
protection of the public health, and to which Federal or state law 
requires disclosure of such record, if a qualified representative of 
such authority has made a written request that such record be provided 
as required pursuant to such law for a purpose authorized by the law. 
The person to whom information is disclosed, under 38 U.S.C. 
7332(b)(2)(C), should be advised that they shall not re-disclose or use 
such information for a purpose other than that for which the disclosure 
was made. The disclosure of patient name and address under this routine 
use must comply with the provisions of 38 U.S.C. 5701(f)(2).
    21. Information indicating that a patient or subject is infected 
with the Human Immunodeficiency Virus (HIV) may be disclosed by a 
physician or professional counselor to the spouse of the patient or 
subject, to an individual with whom the patient or subject has a 
meaningful relationship, or to an individual whom the patient or 
subject has during the process of professional counseling or of testing 
to determine whether the patient or subject is infected with the virus, 
identified as being a sexual partner of the patient or subject. 
Disclosures may be made only if the physician or counselor, after 
making reasonable efforts to counsel and encourage the patient or 
subject to provide the information to the spouse or sexual partner, 
reasonably believes that the patient or subject will not provide the 
information to the spouse or sexual partner and that the disclosure is 
necessary to protect the health of the spouse or sexual partner. Such 
disclosures should, to the extent feasible, be made by the patient's or 
subject's treating physician or professional counselor. Before any 
patient or subject gives consent to being tested for the HIV, as part 
of pre-testing counseling, the patient or subject must be informed 
fully about these notification procedures.
    22. VA may disclose information, including name, address, social 
security number, and other information as is reasonably necessary to 
identify an individual, to the National Practitioner Data Bank at the 
time of hiring and/or clinical privileging/re-privileging of health 
care practitioners, and other times as deemed necessary by VA, in order 
for VA to obtain information relevant to a Department decision 
concerning the hiring, privileging/re-privileging, retention, or 
termination of the applicant or employee.
    23. VA may disclose relevant information to the National 
Practitioner Data Bank and/or State Licensing Board in the state(s) in 
which a practitioner is licensed, the VA facility is located, and/or an 
act or omission occurred upon which a medical malpractice claim was 
based, when VA reports information concerning: (a) Any payment for the 
benefit of a physician, dentist, or other licensed health care 
practitioner which was made as the result of a settlement or judgment 
of a claim of medical malpractice, if an appropriate determination is 
made in accordance with Department policy that payment was related to 
substandard care, professional incompetence or professional misconduct 
on the part of the individual; (b) a final decision which relates to 
possible incompetence or improper professional conduct that adversely 
affects the clinical privileges of a physician or dentist for a period 
longer than 30 days; or (c) the surrender of clinical privileges or any 
restriction of such privileges by a physician or dentist, either while 
under investigation by the health care entity relating to possible 
incompetence or improper professional conduct. These records may also 
be disclosed as part of a computer matching program to accomplish these 
purposes.
    24. VA may disclose relevant health care information to a state 
veterans home for the purpose of medical treatment and/or follow-up at 
the state home when VA makes payment of a per diem rate to the state 
home for the patient receiving care at such home, and the patient 
receives VA medical care.
    25. VA may disclose relevant health care information to (a) a 
Federal agency or non-VA health care provider or institution when VA 
refers a patient for hospital or nursing home care or medical services, 
or authorizes a patient to obtain non-VA medical services, and the 
information is needed by the Federal agency or non-VA institution or 
provider to perform the services, or (b) a Federal agency or a non-VA 
hospital (Federal, State and local, public, or private) or other 
medical installation having hospital facilities, blood banks, or 
similar institutions, medical schools or clinics, or other groups or 
individuals that have contracted or agreed to provide medical services 
or share the use of medical resources under the provisions of 38 U.S.C. 
513, 7409, 8111, or 8153, when treatment is rendered by VA under the 
terms of such contract or agreement, or the issuance of an 
authorization, and the information is needed for purposes of medical 
treatment and/or follow-up, determining entitlement to a benefit, or 
recovery of the costs of the medical care.
    26. VA may disclose health care information for program review

[[Page 60045]]

purposes and the seeking of accreditation and/or certification to 
survey teams of the Joint Commission (JCAHO), College of American 
Pathologists, American Association of Blood Banks, and similar national 
accrediting agencies or boards with which VA has a contract or 
agreement to conduct such reviews, but only to the extent that the 
information is necessary and relevant to the review.
    27. VA may disclose relevant health care information to a non-VA 
nursing home facility that is considering the patient for admission, 
when information concerning the individual's medical care is needed for 
the purpose of preadmission screening under 42 CFR 483.20(f), to 
identify patients who are mentally ill or mentally retarded so they can 
be evaluated for appropriate placement.
    28. VA may disclose information which relates to the performance of 
a health care student or provider to a medical or nursing school or 
other health care related training institution, or other facility with 
which VA has an affiliation, sharing agreement, contract, or similar 
arrangement, when the student or provider is enrolled at or employed by 
the school, training institution, or other facility, and the 
information is needed for personnel management, rating, and/or 
evaluation purposes.
    29. VA may disclose relevant health care information to 
individuals, organizations, and private or public agencies with which 
VA has a contract or sharing agreement for the provision of health care 
or administrative services.
    30. VA may disclose identifying information, including social 
security number of a veteran, spouse, and dependent, to other Federal 
agencies for purposes of conducting computer matches to obtain 
information to determine, or to verify eligibility of veterans who are 
receiving VA medical care under Title 38.
    31. VA may disclose the name and social security number of a 
veteran, spouse, and dependent, and other identifying information as is 
reasonably necessary, to the Social Security Administration, Department 
of Health and Human Services (HHS), for the purpose of conducting a 
computer match to obtain information to validate the social security 
numbers maintained in VA records.
    32. VA may disclose the patient's name and relevant health care 
information concerning an adverse drug reaction to the Food and Drug 
Administration (FDA), HHS, for purposes of quality of care management, 
including detection, treatment, monitoring, reporting, analysis, and 
follow-up actions relating to adverse drug reactions.
    33. VA may disclose information to Federal agencies and government-
wide third-party insurers responsible for payment of the cost of 
medical care for the patients, in order for VA to seek recovery of the 
medical care costs. These records may also be disclosed as part of a 
computer matching program to accomplish these purposes.
    34. VA may disclose information pursuant to 38 U.S.C. 7464, and 
notwithstanding Sec. Sec.  5701 and 7332, to a former VA employee, as 
well as an authorized representative of the employee, whose case is 
under consideration by the VA Disciplinary Appeals Board, in connection 
with the considerations of the Board, to the extent the Board considers 
appropriate for purposes of the proceedings of the Board in that case, 
when authorized by the chairperson of the Board.
    35. Information that a patient is infected with Hepatitis C may be 
disclosed by a physician or professional counselor to the spouse, the 
person or subject with whom the patient has a meaningful relationship, 
or an individual whom the patient or subject has identified as being a 
sexual partner of the patient or subject.
    36. VA may disclose to the Federal Labor Relations Authority, 
including its General Counsel, information related to the establishment 
of jurisdiction, investigation, and resolution of allegations of unfair 
labor practices, or in connection with the resolution of exceptions to 
arbitration awards when a question of material fact is raised in 
matters before the Federal Service Impasses Panel.
    37. VA may disclose information to officials of labor organizations 
recognized under 5 U.S.C. Chapter 71 when relevant and necessary to 
their duties of exclusive representation concerning personnel policies, 
practices, and matters affecting working conditions.
    38. VA may disclose information to officials of the Merit Systems 
Protection Board, including the Office of the Special Counsel, when 
requested in connection with appeals, special studies of the civil 
service and other merit systems, review of rules and regulations, 
investigation of alleged or possible prohibited personnel practices, 
such other functions promulgated in 5 U.S.C. 1205 and 1206, or as 
otherwise authorized by law.
    39. VA may disclose information to the Equal Employment Opportunity 
Commission when requested in connection with investigations of alleged 
or possible discrimination practices, examinations of Federal 
affirmative employment programs, compliance with the Uniform Guidelines 
of Employee Selection Procedures, or other functions of the Commission 
as authorized by law or regulation.
    40. VA may disclose relevant health care information to health and 
welfare agencies, housing resources, and utility companies, possibly to 
be combined with disclosures to other agencies, in situations where VA 
needs to act quickly in order to provide basic and/or emergency needs 
for the patient and patient's family where the family resides with the 
patient or serves as a caregiver.
    41. VA may disclose health care information to funeral directors or 
representatives of funeral homes in order for them to make necessary 
arrangements prior to and in anticipation of a patient's death.
    42. VA may disclose health care information to the FDA, or a person 
subject to the jurisdiction of the FDA, with respect to FDA-regulated 
products for purposes of reporting adverse events, product defects or 
problems, or biological product deviations; tracking products; enabling 
product recalls, repairs, or replacement; and/or conducting post 
marketing surveillance.
    43. VA may disclose health care information to a non-VA health care 
provider, such as private health care providers or hospitals, DoD, or 
IHS providers, for the purpose of treating VA patients.
    44. VA may disclose information to telephone company operators 
acting in their capacity to facilitate phone calls for hearing impaired 
individuals, such as patients, patients' family members, or non-VA 
providers, using telephone devices for the hearing impaired, including 
Telecommunications Device for the Deaf (TDD) or Text Telephones (TTY).
    45. VA may disclose information to any Federal, State, local, 
tribal, or foreign law enforcement agency in order to report a known 
fugitive felon, in compliance with 38 U.S.C. 5313B(d).
    46. Relevant health care information may be disclosed by VA 
employees who are designated requesters (individuals who have completed 
a course offered or approved by an Organ Procurement Organization), or 
their designees, for the purpose of determining suitability of a 
patient's organs or tissues for organ donation to an organ procurement 
organization, a designated requester who is not a VA employee, or their 
designees acting on behalf of local organ procurement organizations.

[[Page 60046]]

    47. VA may disclose relevant heath care information to DoD, or its 
components, as necessary in addressing the transition, health care, 
benefits, and administrative support needs of or for wounded, ill, and 
injured active duty service members or reserve components, veterans, 
and their beneficiaries.
    48. VA may disclose information to other Federal agencies in order 
to assist those agencies in preventing, detecting, and responding to 
possible fraud or abuse by individuals in their operations and 
programs.
    49. VA may, on its own initiative, disclose any information to 
appropriate agencies, entities, and persons when (1) VA suspects or has 
confirmed that the integrity or confidentiality of information in the 
system of records has been compromised; (2) the Department has 
determined that as a result of the suspected or confirmed compromise, 
there is a risk of embarrassment or harm to the reputations of the 
record subjects, harm to economic or property interests, identity theft 
or fraud, or harm to the security, confidentiality, or integrity of 
this system or other systems or programs (whether maintained by the 
Department or another agency or entity) that rely upon the potentially 
compromised information; and (3) the disclosure is to agencies, 
entities, or persons whom VA determines are reasonably necessary to 
assist or carry out the Department's efforts to report or respond to 
the suspected or confirmed compromise and prevent, minimize, or remedy 
such harm.
    50. VA may disclose information to any third party or Federal 
agency, including contractors to those parties, who are responsible for 
payment of the cost of medical care for the identified patients, in 
support of VA recovery of medical care costs or for any activities 
related to payment of medical care costs. These records may also be 
disclosed as part of a computer matching program to accomplish these 
purposes.
    51. VA may disclose relevant information to a quality review and/or 
peer review organization in connection with the audit of claims or 
other review activities to determine quality of care or compliance with 
professionally accepted claims processing standards.
    52. VA may disclose health care information as deemed necessary and 
proper to Federal, State, and local government agencies, and national 
health organizations in order to assist in the development of programs 
that will be beneficial to claimants, protect their rights under law, 
and ensure that they are receiving all benefits to which they are 
entitled.
    53. VA may disclose information to a former VA employee or 
contractor, as well as the authorized representative of a current or 
former employee or contractor of VA, in pending or reasonably 
anticipated litigation against the individual regarding health care 
provided during the period of his or her employment or contract with 
VA.
    54. VA may disclose information to a former VA employee or 
contractor, as well as the authorized representative of a current or 
former employee or contractor of VA, in defense or reasonable 
anticipation of a tort claim, litigation, or other administrative or 
judicial proceeding involving VA when the Department requires 
information or consultation assistance from the former employee or 
contractor regarding health care provided during the period of his or 
her employment or contract with VA.
    55. VA may disclose information to a former VA employee or 
contractor, as well as the authorized representative of a current or 
former employee or contractor of VA, in connection with or in 
consideration of the reporting of:
    (a) Any payment for the benefit of the former VA employee or 
contractor that was made as the result of a settlement or judgment of a 
claim of medical malpractice, if an appropriate determination is made 
in accordance with Department policy that payment was related to 
substandard care, professional incompetence, or professional misconduct 
on the part of the individual;
    (b) A final decision which relates to possible incompetence or 
improper professional conduct that adversely affects the former 
employee's or contractor's clinical privileges for a period longer than 
30 days; or
    (c) The former employee's or contractor's surrender of clinical 
privileges or any restriction of such privileges while under 
investigation by the health care entity relating to possible 
incompetence or improper professional conduct to the National 
Practitioner Data Bank or the state licensing board in any state in 
which the individual is licensed, the VA facility is located, or an act 
or omission occurred upon which a medical malpractice claim was based.
    56. VA may disclose information to a former VA employee or 
contractor, as well as the authorized representative of a current or 
former employee or contractor of VA, in connection with or in 
consideration of reporting that the individual's professional health 
care activity so significantly failed to conform to generally accepted 
standards of professional medical practice as to raise reasonable 
concern for the health and safety of patients, to a Federal agency, a 
State or local government licensing board, or the Federation of State 
Medical Boards or a similar non-governmental entity which maintains 
records concerning individuals' employment histories or concerning the 
issuance, retention, or revocation of licenses, certifications, or 
registration necessary to practice an occupation, profession, or 
specialty.
    57. VA may disclose information to a former VA employee or 
contractor, as well as the authorized representative of a current or 
former employee or contractor of VA, in connection with investigations 
by the Equal Employment Opportunity Commission pertaining to alleged or 
possible discrimination practices, examinations of Federal affirmative 
employment programs, or other functions of the Commission as authorized 
by law or regulation.
    58. VA may disclose information to a former VA employee or 
contractor, as well as the authorized representative of a current or 
former employee or contractor of VA, in proceedings before the Merit 
Systems Protection Board or the Office of the Special Counsel in 
connection with appeals, special studies of the civil service and other 
merit systems, review of rules and regulations, investigation of 
alleged or possible prohibited personnel practices, and such other 
functions promulgated in 5 U.S.C. 1205 and 1206, or as otherwise 
authorized by law.

Policies and practices for storing, retrieving, accessing, retaining, 
and disposing of records in the system:
Storage:
    Records are maintained on paper, microfilm, electronic media 
including images and scanned documents, or laser optical media in the 
consolidated health record at the health care facility where care was 
rendered, in the VA Health Data Repository, and at Federal Record 
Centers. In most cases, copies of back-up computer files are maintained 
at off-site locations. Subsidiary record information is maintained at 
the various respective services within the health care facility (e.g., 
pharmacy, fiscal, dietetic, clinical laboratory, radiology, social 
work, psychology) and by individuals, organizations, and/or agencies 
with whom VA has a contract or agreement to perform such services, as 
the VA may deem practicable.
    Paper records are currently being relocated from Federal record 
centers to the VA Records Center and Vault. It is projected that all 
paper records will be stored at the VA Records Center and Vault by the 
end of the calendar year 2004.

[[Page 60047]]

Retrievability:
    Records are retrieved by name, social security number or other 
assigned identifiers of the individuals to whom they pertain.

Safeguards:
    1. Access to working spaces and patient medical record storage 
areas in VA health care facilities is restricted to authorized VA 
employees. Generally, file areas are locked after normal duty hours. 
Health care facilities are protected from outside access by the Federal 
Protective Service and/or other security personnel. Access to patient 
medical records is restricted to VA employees who have a need for the 
information in the performance of their official duties. Sensitive 
patient medical records, including employee patient medical records, 
records of public figures, or other sensitive patient medical records 
are generally stored in separate locked files or a similar 
electronically controlled access environment. Strict control measures 
are enforced to ensure that access to and disclosures from these 
patient medical records are limited.
    2. Access to computer rooms within health care facilities is 
generally limited by appropriate locking devices and restricted to 
authorized VA employees and vendor personnel. ADP peripheral devices 
are generally placed in secure areas (areas that are locked or have 
limited access) or are otherwise protected. Only authorized VA 
employees or vendor employees may access information in the system. 
Access to file information is controlled at two levels: the system 
recognizes authorized employees by a series of individually unique 
passwords/codes as a part of each data message, and the employees are 
limited to only that information in the file that is needed in the 
performance of their official duties. Information that is downloaded 
and maintained on personal computers must be afforded similar storage 
and access protections as the data that is maintained in the original 
files. Access by remote data users such as Veteran Outreach Centers, 
Veteran Service Officers (VSO) with power of attorney to assist with 
claim processing, VBA Regional Office staff for benefit determination 
and processing purposes, OIG staff conducting official audits or 
investigations and other authorized individuals is controlled in the 
same manner.
    3. Access to the VA National Data Centers is generally restricted 
to Center employees, custodial personnel, Federal Protective Service, 
and other security personnel. Access to computer rooms is restricted to 
authorized operational personnel through electronic locking devices. 
All other persons gaining access to computer rooms are escorted. 
Information stored in the computer may be accessed by authorized VA 
employees at remote locations including VA health care facilities, VA 
Central Office, Veterans Integrated Service Networks (VISNs), and OIG 
Central Office and field staff. Access is controlled by individually 
unique passwords/codes that must be changed periodically by the 
employee.
    4. Access to the VA Health Data Repository (HDR), located at the VA 
National Data Centers, is generally restricted to Center employees, 
custodial personnel, Federal Protective Service, and other security 
personnel. Access to computer rooms is restricted to authorized 
operational personnel through electronic locking devices. All other 
persons gaining access to computer rooms are escorted. Information 
stored in the computer may be accessed by authorized VA employees at 
remote locations including VA health care facilities, VA Central 
Office, VISNs, and OIG Central Office and field staff. Access is 
controlled by individually unique passwords/codes that must be changed 
periodically by the employee.
    5. Access to records maintained at VA Central Office, the VA Boston 
Development Center, Chief Information Office Field Offices, and VISNs 
is restricted to VA employees who have a need for the information in 
the performance of their official duties. Access to information stored 
in electronic format is controlled by individually unique passwords/
codes. Records are maintained in manned rooms during working hours. The 
facilities are protected from outside access during non-working hours 
by the Federal Protective Service or other security personnel.
    6. Computer access authorizations, computer applications available 
and used, information access attempts, and frequency and time of use 
are recorded.

Retention and disposal:
    In accordance with the records disposition authority approved by 
the Archivist of the United States, paper records and information 
stored on electronic storage media are maintained for seventy-five (75) 
years after the last episode of patient care and then destroyed/or 
deleted.

System manager(S) and address:
    Patient Medical Records: Director, Information Assurance (19F), 
Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 
20420.
    Health Data Repository: Director, Health Data Systems (19-SL), 
Department of Veterans Affairs, 295 Chipeta Way, Salt Lake City, UT 
84108.

Notification procedure:
    An individual who wishes to determine whether a record is being 
maintained in this system under his or her name or other personal 
identifier, or wants to review the contents of such record, should 
submit a written request or apply in person to the last VA health care 
facility where care was rendered. Addresses of VA health care 
facilities may be found in VA Appendix 1 of the Biennial Publication of 
Privacy Act Issuances. All inquiries must reasonably describe the 
portion of the medical record involved and the place and approximate 
date that medical care was provided. Inquiries should include the 
patient's full name, social security number, and return address.

Record access procedure:
    Individuals seeking information regarding access to and contesting 
of VA medical records may write, call, or visit the last VA facility 
where medical care was provided.

Contesting record procedures:
    (See Record Access Procedures above.)

Record source categories:
    The patient, family members, friends, or accredited 
representatives, employers; military service departments; health 
insurance carriers; private medical facilities and health care 
professionals; state and local agencies; other Federal agencies; VA 
Regional Offices, Veterans Benefits Administration automated record 
systems (including Veterans and Beneficiaries Identification and 
Records Location Subsystem-VA (38VA23) and the Compensation, Pension, 
Education and Rehabilitation Records-VA (58VA21/22/28); and various 
automated systems providing clinical and managerial support at VA 
health care facilities.
[FR Doc. E9-27786 Filed 11-18-09; 8:45 am]
BILLING CODE P