[Federal Register Volume 81, Number 164 (Wednesday, August 24, 2016)]
[Notices]
[Pages 58005-58008]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-20217]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of amendment to system of records.

-----------------------------------------------------------------------

SUMMARY: As required by the Privacy Act of 1974, 5 U.S.C. 552a(e), 
notice is hereby given that the Department of Veterans Affairs (VA) is 
amending the system of records currently entitled ``My HealtheVet 
Administrative Records-VA'' (130VA19) as set forth in the Federal 
Register 75 FR 70365. VA is amending the system by revising the System 
Number, System Location, Categories of Individuals Covered by the 
System, Categories of Records in the System, Records Source Categories, 
Routine Uses of Records Maintained in the System, Retention and 
Disposal, System Manager, Record Access Procedure, and Notification 
Procedure. VA is republishing the system notice in its entirety.

DATES: Comments on the amendment of this system of records must be 
received no later than September 23, 2016. If no public comment is 
received, the amended system will become effective September 23, 2016.

ADDRESSES: Written comments concerning the amended system of records 
may be submitted through www.regulations.gov; by mail or hand-

[[Page 58006]]

delivery to Director, Regulations Management (02REG), Department of 
Veterans Affairs, 810 Vermont Avenue NW., Room 1068, Washington, DC 
20420; or by fax to (202) 273-9026. All comments received will be 
available for public inspection in the Office of Regulation Policy and 
Management, Room 1063B, between the hours of 8:00 a.m. and 4:30 p.m., 
Monday through Friday (except holidays). Please call (202) 461-4902 
(this is not a toll-free number) for an appointment. In addition, 
during the comment period, comments may be viewed online through the 
Federal Docket Management System at www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: Veterans Health Administration (VHA) 
Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue 
NW., Washington, DC 20420; telephone (704) 245-2492.

SUPPLEMENTARY INFORMATION: The System Number is changed from 130VA19 to 
130VA10P2 to reflect the current organizational alignment.
    The System Location in this system of records is being amended to 
include contracted data storage location.
    The Categories of Individuals Covered by the System is being 
amended to remove ``grantee, family members and friends'' and add 
``power of attorney and legal guardian'' to section (2). Section (4) is 
being amended to replace ``VHA Information Technology (IT)'' with ``VA 
Office of Information and Technology (OI&T)''. The Categories of 
Records in the System is being amended to delete ``grantee''. The 
Record Source Categories is being amended to add ``power of attorney'' 
to section (2). Routine Uses of Records Maintained in the System is 
being deleted:
    ``8. Disclosure of information may be made to VA approved 
researchers to enhance, advance and promote both the function and the 
content of the My HealtheVet application.''
    This section is also being amended to add:

    8. VA may disclose health information for research purposes 
determined to be necessary and proper to epidemiological and other 
research entities approved by the Under Secretary for Health or 
designee, such as the Medical Center Director of the facility where 
the information is maintained.
    9. VA may disclose health information, including the name(s) and 
address(es) of present or former personnel of the Armed Services 
and/or their dependents, (a) to a Federal department or agency or 
(b) directly to a contractor of a Federal department or agency, at 
the written request of the head of the agency or the designee of the 
head of that agency, to conduct Federal research necessary to 
accomplish a statutory purpose of an agency. When this information 
is to be disclosed directly to the contractor, VA may impose 
applicable conditions on the department, agency, and/or contractor 
to ensure the appropriateness of the disclosure to the contractor.

    The Retention and Disposal section is being amended to remove 
General Records Schedules (GRS) 20, item 1c and GRS 24, item 6a. This 
section will now include research and GRS 3.2 Item 031.
    The System Manager(s) and Address, Notification Procedure, and 
Record Access Procedure sections are being amended to remove the Chief, 
Technical Infrastructure Division (31), Austin Automation Center, 1615 
Woodward Street, Austin, Texas 78772. These sections will now include 
My HealtheVet Chief Information Officer, 55 Foothill Drive, Suite 400, 
Salt Lake City, Utah 84113.
    The Report of Intent to Amend a System of Records Notice and an 
advance copy of the system notice have been sent to the appropriate 
Congressional committees and to the Director of the Office of 
Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy 
Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

Signing Authority

    The Secretary of Veterans Affairs, or designee, approved this 
document and authorized the undersigned to sign and submit the document 
to the Office of the Federal Register for publication electronically as 
an official document of the Department of Veterans Affairs. Gina S. 
Farrisee, Deputy Chief of Staff, approved this document on August 2, 
2016, for publication.

    Dated: August 8, 2016.
Kathleen M. Manwell,
VA Privacy Service, Office of Privacy and Records Management, 
Department of Veterans Affairs.
130VA10P2

SYSTEM NAME:
    My HealtheVet Administrative Records-VA.

SYSTEM LOCATION:
    Records are maintained at Veterans Health Administration (VHA) 
facilities, VA National Data Centers, VA Health Data Repository (HDR), 
and at the contracted data storage system located in Culpepper, 
Virginia. Address locations for VHA facilities are listed in VA 
Appendix 1 of the biennial publications of the VA systems of records.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 38, United States Code, section 501.

PURPOSE(S):
    The information in the My HealtheVet Administrative Records is 
needed to operate the My HealtheVet program including, but not limited 
to, registration and verification of the Veteran's identity or to 
register and authenticate those who have legal authority to participate 
in lieu of the Veteran, to assign and verify administrators of the My 
HealtheVet portal, to retrieve the Veteran's information to perform 
specific functions, and to allow access to specific information and 
provide other associated My HealtheVet electronic services in current 
and future applications of the My HealtheVet program. The 
administrative information may also be used to create administrative 
business reports for system owners and VA managers who are responsible 
for ensuring that the My HealtheVet system is meeting performance 
expectations and is in compliance with applicable Federal laws and 
regulations. Administrative information may also be used for evaluation 
to support program improvement, including VA approved research studies.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individuals covered by this system encompass: (1) All individuals 
who successfully register for a My HealtheVet account and whose 
identity has been verified; (2) Representatives of the above 
individuals who have been provided Delegate access to My HealtheVet 
including, but not limited to, Power of Attorney (POA), legal guardian, 
or VA and non-VA health care providers; (3) VA health care providers 
and certain administrative staff; (4) VA Office of Information and 
Technology (OI&T) staff and/or their approved contractors who may need 
to enter identifying, administrative information into the system to 
initiate, support, and maintain electronic services for My HealtheVet 
participants; and (5) VA researchers fulfilling VA required 
authorization procedures.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records include personally identifiable information, such as an 
individual's full name; My HealtheVet User Identifier (ID); date of 
birth; Social Security number; email address; telephone number; 
mother's maiden name; ZIP code; place and date of registration for My 
HealtheVet; Delegate

[[Page 58007]]

user IDs associated with My HealtheVet accounts; level of access to My 
HealtheVet electronic services; date and type of transaction; web 
analytics for the purpose of monitoring site usage; patient internal 
control number (ICN); and other administrative data needed for My 
HealtheVet roles and services.

RECORD SOURCE CATEGORIES:
    The sources of information for this system of records include the 
individuals covered by this notice and an additional contributor, as 
listed below:
    (1) All individuals who successfully register for a My HealtheVet 
account;
    (2) Representatives of the above individuals who have been provided 
access to the private health space by the Veteran user, including but 
not limited to, POA, or VA and non-VA health care providers;
    (3) VA health care providers;
    (4) VA OI&T staff and/or their contractors and subcontractors who 
may need to enter information into the system to initiate, support and 
maintain My HealtheVet electronic services for My HealtheVet users;
    (5) VistA and other VA IT systems;
    (6) VA researchers fulfilling VA required authorization procedures 
(see VHA Handbook 1200.01 http://www1.va.gov/vhapublications/ViewPublication.asp?pub_ID=2038).

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    To the extent that records contained in the system include 
information protected by 45 CFR. Parts 160 and 164 (i.e., individually 
identifiable health information), and 38 U.S.C. 7332 (i.e., medical 
treatment information related to drug abuse, alcoholism or alcohol 
abuse, sickle cell anemia or infection with the human immunodeficiency 
virus), that information cannot be disclosed under a routine use unless 
there is also specific statutory authority in 38 U.S.C. 7332 and 
regulatory authority in 45 CFR parts 160 and 164 permitting disclosure.
    1. Disclosure of information in this system of records may be made 
to private or public sector organizations, individuals, agencies, etc., 
with whom VA has a contract or agreement, including subcontractors, in 
order to administer the My HealtheVet program, or perform other such 
services as VA deems appropriate and practical for the purposes of 
administering VA laws.
    2. On its own initiative, VA may disclose information, except for 
the names of My HealtheVet users and system administrators, to State, 
local, tribal or foreign agency charged with the responsibility of 
investigating or prosecuting civil, criminal or regulatory violations 
of law, or charged with enforcing or implementing the statute, 
regulation, rule or order issued pursuant thereto. On its own 
initiative, VA may disclose information including names of My 
HealtheVet users and system administrators to a Federal agency charged 
with the responsibility of investigating or prosecuting civil, criminal 
or regulatory violations of law, or charged with enforcing or 
implementing the statute, regulation, rule or order issued pursuant 
thereto.
    3. VA may disclose information from this system to the National 
Archives and Records Administration (NARA) and General Services 
Administration in records management inspections conducted under title 
44, United States Code (U.S.C.).
    4. VA may disclose information from this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that release of the records to the DoJ 
is a use of the information contained in the records that is compatible 
with the purpose for which VA collected the records. VA, on its own 
initiative, may disclose records in this system of records in legal 
proceedings before a court or administrative body after determining 
that the disclosure of the records to the court or administrative body 
is a use of the information contained in the records that is compatible 
with the purpose for which VA collected the records.
    5. Disclosure may be made to a congressional office from the record 
of an individual in response to an inquiry from the congressional 
office made at the request of that individual.
    6. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    7. Disclosure of information may be made when (1) VA suspects or 
has confirmed that the integrity or confidentiality of information in 
the system of records has been compromised; (2) the Department has 
determined that as a result of the suspected or confirmed compromise, 
there is a risk of embarrassment or harm to the reputations of the 
record subjects, harm to economic or property interests, identity theft 
or fraud, or harm to the security or integrity of this system or other 
systems or programs (whether maintained by the Department or another 
agency or entity) that rely upon the compromised information; and (3) 
the disclosure is to agencies, entities, and persons whom VA determines 
are reasonably necessary to assist or carry out the Department's 
efforts to respond to the suspected or confirmed compromise and 
prevent, minimize, or remedy such harm. This routine use permits 
disclosure by the Department to respond to a suspected or confirmed 
data breach, including the conduct of any risk analysis or provision of 
credit protection services as provided in 38 U.S.C. 5724.
    8. VA may disclose health information for research purposes 
determined to be necessary and proper to epidemiological and other 
research entities approved by the Under Secretary for Health or 
designee, such as the Medical Center Director of the facility where the 
information is maintained.
    9. VA may disclose health information, including the name(s) and 
address(es) of present or former personnel of the Armed Services and/or 
their dependents, (a) to a Federal department or agency or (b) directly 
to a contractor of a Federal department or agency, at the written 
request of the head of the agency or the designee of the head of that 
agency, to conduct Federal research necessary to accomplish a statutory 
purpose of an agency. When this information is to be disclosed directly 
to the contractor, VA may impose applicable conditions on the 
department, agency, and/or contractor to ensure the appropriateness of 
the disclosure to the contractor.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    My HealtheVet Administrative Records are maintained on paper and 
electronic media, including hard drive disks, which are backed up to 
tape at regular intervals.

POLICIES AND PRACTICES FOR RETRIEVABILITY OF RECORDS:
    Records may be retrieved by an individual's name, user ID, date of 
registration for My HealtheVet electronic services, ZIP code, the VA 
assigned ICN, date of birth and/or Social Security number, if provided.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records are maintained and disposed of in accordance with the 
records disposition authority approved by the Archivist of the United 
States. Records from this system that are needed for

[[Page 58008]]

audit purposes will be retained for at least six (6) years after a 
user's account becomes inactive. Routine records will be disposed of 
when the agency determines they are no longer needed for 
administrative, legal, audit, research, or other operational purposes, 
but no less than six (6) years from date of last account activity. 
These retention and disposal statements are pursuant to the currently 
applicable NARA General Records Schedule GRS 3.2 Item 031.

PHYSICAL, PROCEDURAL, AND ADMINISTRATIVE SAFEGUARDS:
    1. Access to and use of the My HealtheVet Administrative Records 
are limited to those persons whose official duties require such access. 
VA has established security controls and procedures to ensure that 
access is appropriately limited. Information Security Officers and 
system data stewards review and authorize data access requests. VA 
regulates data access with security software that authenticates My 
HealtheVet administrative users and requires individually unique codes 
and passwords. VA provides Information Security training to all staff 
and instructs staff on the responsibility each person has for 
safeguarding data confidentiality. VA regularly updates security 
standards and procedures that are applied to systems and individuals 
supporting this program.
    2. Physical access to computer rooms housing the My HealtheVet 
Administrative Records is restricted to authorized staff and protected 
by a variety of security devices. The Federal Protective Service or 
other security personnel provide physical security for the buildings 
housing computer systems and data centers.
    3. Data transmissions between operational systems and My HealtheVet 
Administrative Records maintained by this system of records are 
protected by telecommunications security software and hardware as 
prescribed by Federal security and privacy laws as well as VA standards 
and practices. This includes firewalls, encryption, and other security 
measures necessary to safeguard data as it travels across the VA Wide 
Area Network.
    4. Copies of back-up computer files are maintained at secure off-
site locations.

SYSTEM MANAGER(S):
    Official responsible for policies and procedures: Director of 
Veterans and Consumers Health Informatics Office, 8455 Colesville Road, 
Suite 1200, Silver Spring, Maryland 20910. Officials maintaining this 
system of record: VHA facilities (address locations for VHA facilities 
are listed in VA Appendix 1 of the biennial publications of the VA 
systems of records) and the My HealtheVet Chief Information Officer, 55 
Foothill Drive, Suite 400, Salt Lake City, Utah 84113.

RECORD ACCESS PROCEDURE:
    Individuals seeking information regarding access to and/or 
contesting of records in this system may write or call their local VHA 
facility and/or the My HealtheVet Chief Information Officer, 55 
Foothill Drive, Suite 400, Salt Lake City, Utah 84113.

CONTESTING RECORD PROCEDURES:
    (See Record Access Procedures above.)

NOTIFICATION PROCEDURE:
    Individuals who wish to determine whether a record is being 
maintained under their name in this system or wish to determine the 
contents of such records have two options:
    1. Submit a written request or apply in person to the VHA facility 
where the records are located. VHA facility location information can be 
found in the Facilities Locator section of VA's Web site at http://www.va.gov; or
    2. Submit a written request or apply in person to the My HealtheVet 
Chief Information Officer, 55 Foothill Drive, Suite 400, Salt Lake 
City, Utah 84113.
    Inquiries should include the person's full name, user ID, date of 
birth, and return address.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.
[FR Doc. 2016-20217 Filed 8-23-16; 8:45 am]
 BILLING CODE P