[Federal Register Volume 83, Number 50 (Wednesday, March 14, 2018)]
[Notices]
[Pages 11303-11308]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-05085]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of a Modified System of Records.

-----------------------------------------------------------------------

SUMMARY: As required by the Privacy Act of 1974, notice is hereby given 
that the Department of Veterans Affairs (VA) is amending the system of 
records entitled ``The Revenue Program-Billing and Collections Records-
VA'' (114VA16) as set forth in a notice, published in the Federal 
Register on February 11, 2014. VA is amending the system of records by 
revising the System Number, System Manager, Categories of Individuals 
Covered by the System, Categories of Records in the System, Record 
Source Categories, Routine Uses of Records Maintained in the System, 
Policies and Practices for Retention and Disposal of Records, and 
Safeguards. VA is republishing the system notice in its entirety.

DATES: Comments on this amended system of records must be received no 
later than April 13, 2018. If no public comment is received during the 
period allowed for comment or unless otherwise published in the Federal 
Register by VA, the amended system will become effective April 13, 
2018.

ADDRESSES: Written comments may be submitted through 
www.Regulations.gov; by mail or hand-delivery to Director, Regulation 
Policy and Management (00REG), Department of Veterans Affairs, 810 
Vermont Ave. NW, Room 1064, Washington, DC 20420; or by fax to (202) 
273-9026 (not a toll-free number). Comments should indicate that they 
are submitted in response to ``The Revenue Program-Billing and 
Collections Records-VA''. Copies of comments received will be available 
for public inspection in the Office of Regulation Policy and 
Management, Room 1063B, between the hours of 8:00 a.m. and 4:30 p.m., 
Monday through Friday (except holidays). Please call (202) 461-4902 for 
an appointment. (This is not a toll-free number.) In addition, comments 
may be viewed online at www.Regulations.gov.

FOR FURTHER INFORMATION CONTACT: Veterans Health Administration (VHA) 
Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue NW, 
Washington, DC 20420; telephone (704) 245-2492.

SUPPLEMENTARY INFORMATION:  The System Number is changed from 114VA16 
to 114VA10D to reflect the current organizational alignment.
    System Manager is being amended to replace Chief Business Officer, 
Chief Business Office (16) with Deputy Under Secretary for Health, 
Office of Community Care (10D).
    Categories of Individuals Covered by the System is being amended to 
add ``or Community Care programs, such as Choice'' to Item 9. 
Healthcare professionals providing examination or treatment to 
individuals under contract or resource sharing agreements.
    Categories of Records in the System is being amended to remove the 
universal personal identification number. In Item 3, International 
Classification of Diseases (ICD)-9-CM will be replaced with ICD-10-CM. 
Drug Enforcement Administration (DEA) number was added to Item 6.
    The Record Source Categories is being amended to change 77VA10Q to 
77VA10A4 and 79VA19 to 79VA10P2.
    The Routine Uses of Records Maintained in the System has been 
amended by adding language to Routine Use #20 which states, ``a. 
Effective Response. A federal agency's ability to respond quickly and 
effectively in the event of a breach of federal data is critical to its 
efforts to prevent or minimize any consequent harm. An effective 
response necessitates disclosure of information regarding the breach to 
those individuals affected by it, as well as to persons and entities in 
a position to cooperate, either by assisting in notification to 
affected individuals or playing a role in preventing or minimizing 
harms from the breach. b. Disclosure of Information. Often, the 
information to be disclosed to such persons and entities is maintained 
by federal agencies and is subject to the Privacy Act (5 U.S.C. 552a). 
The Privacy Act prohibits the disclosure of any record in a system of 
records by any means of communication to any person or agency absent 
the written consent of the subject individual, unless the disclosure 
falls within one of twelve statutory exceptions. In order to ensure an 
agency is in the best position to respond in a timely and effective 
manner, in accordance with 5 U.S.C. 552a(b)(3) of the Privacy Act, 
agencies should publish a routine use for appropriate systems 
specifically applying to the disclosure of information in connection 
with response and remedial efforts in the event of a data breach.''
    Routine use #23 is also being added to state, ``VA may, on its own 
initiative, disclose information from this system to another Federal 
agency or Federal entity, when VA determines that information from this 
system of records is reasonably necessary to assist the recipient 
agency or entity in (1) responding to a suspected or confirmed breach 
or (2) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach. VA needs this 
routine use for the data breach response and remedial efforts with 
another Federal agency.''
    Routine Use #24 is being added to state, ``VA may disclose relevant 
information to attorneys, insurance companies, employers, third parties 
liable or potentially liable under health plan contracts, and courts, 
boards, or commissions, to the extent necessary to aid VA in the 
preparation, presentation, and prosecution of claims authorized under 
Federal, State, or local laws, and regulations promulgated 
thereunder.'' VA must be able to release billing information that is 
related to VA's claims for recovery to health insurers, workers 
compensation insurers, auto reparations insurers, and any other entity 
liable to pay VA.
    Routine Use #25 is being added to state, ``VA may disclose relevant 
information to health plans, quality review and/or peer review 
organizations in connection with the audit of claims or other review 
activities to determine quality of care or compliance with 
professionally accepted claims processing standards.'' This routine use 
permits disclosure of information for quality assessment audits 
received by Healthcare Effectiveness Data and Information Set or 
similar auditors.
    Policies and Practices for Retention and Disposal of Records has 
been amended to replace ``Paper records and

[[Page 11304]]

information stored on electronic storage media are maintained and 
disposed of in accordance with records disposition authority approved 
by the Archivist of the United States'' with Follow the requirement of 
RCS 10-1 Chapter 4 Item 4000.1 a & b. 4000.1 Financial transaction 
records related to procuring goods and services, paying bills, 
collecting debts, and accounting.

a. Official Record Held in the Office of Record

    Temporary; destroy 6 years after final payment or cancellation, but 
longer retention is authorized if required for business use. (GRS 1.1, 
Item 010) (DAA-GRS-2016-0001-0002)

b. All Other Copies

    Temporary; destroy or delete when 6 years old, but longer retention 
is authorized if required for business use. (GRS 1.1 item 013) (DAA-
GRS-2016-0001-0002).''
    Administrative, Technical, and Physical Safeguards is being amended 
to replace Automation Center (AC) with Austin Information Technology 
Center (AITC).
    The Report of Intent to Amend a System of Records Notice and an 
advance copy of the system notice have been sent to the appropriate 
Congressional committees and to the Director of Office of Management 
and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and 
guidelines issued by OMB (65 FR 77677), December 12, 2000.

Signing Authority

    The Senior Agency Official for Privacy, or designee, approved this 
document and authorized the undersigned to sign and submit the document 
to the Office of the Federal Register for publication electronically as 
an official document of the Department of Veterans Affairs. John 
Oswalt, Executive Director for Privacy, Department of Veterans Affairs 
approved this document on January 18, 2018, for publication.

    Dated: March 8, 2018.
Kathleen M. Manwell,
Program Analyst, VA Privacy Service, Office of Privacy Information and 
Identity Protection, Department of Veterans Affairs.
SYSTEM NAME
    The Revenue Program-Billing and Collections Records--VA (114VA10D)

SECURITY CLASSIFICATION:
    None.

SYSTEM LOCATION:
    Records are maintained at each VA healthcare facility. In most 
cases, backup computer tape information is stored at off-site 
locations. Address locations for VA facilities are listed in VA 
Appendix 1 of the biennial publication of VA Privacy Act Issuances. In 
addition, information from these records or copies of records may be 
maintained at the Department of Veterans Affairs (VA), 810 Vermont 
Avenue NW, Washington, DC; the VA Austin Automation Center (AAC), 
Austin, Texas; Veterans Integrated Service Network (VISN) Offices; VA 
Allocation Resource Center (ARC), Boston, Massachusetts, and contractor 
facilities.

SYSTEM MANAGER(S):
    The official responsible for policies and procedures is the Deputy 
Under Secretary for Health, Office of Community Care (10D), Department 
of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420. The 
local officials responsible for maintaining the system are the Director 
of the facility where the individual is or was associated.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 38, United States Code (U.S.C.), sections 1710 and 1729.

PURPOSE(S) OF THE SYSTEM:
    The records and information are used for the billing of, and 
collections from a third party payer, including insurance companies, 
other Federal agencies, or foreign governments, for medical care or 
services received by a Veteran for a non-service connected condition or 
from a first party Veteran required to make copayments. The records and 
information are also used for the billing of and collections from other 
Federal agencies for medical care or services received by an eligible 
beneficiary. The data may be used to identify and/or verify insurance 
coverage of a Veteran or Veteran's spouse prior to submitting claims 
for medical care or services. The data may be used to support appeals 
for non-reimbursement of claims for medical care or services provided 
to a Veteran. The data may be used to enroll health care providers with 
health plans and VA's health care clearinghouse in order to 
electronically file third party claims. For the purposes of health care 
billing and payment activities to and from third party payers, VA will 
disclose information in accordance with the legislatively-mandated 
transaction standard and code sets promulgated by the United States 
Department of Health and Human Services (HHS) under the Health 
Insurance Portability and Accountability Act (HIPAA). The data may be 
used to make application for an NPI, as required by the HIPAA 
Administrative Simplification Rule on Standard Unique Health Identifier 
for Healthcare Providers, 45 CFR part 162, for all health care 
professionals providing examination or treatment within VA health care 
facilities, including participation in pilot test of NPI enumeration 
system by the Centers of Medicare and Medicaid Services (CMS). The 
records and information may be used for statistical analyses to produce 
various management, tracking and follow-up reports, to track and trend 
the reimbursement practices of insurance carriers, and to track billing 
and collection information. The data may be used to support, or in 
anticipation of supporting, reimbursement claims from community health 
care providers or their agents. The data may be used to support, or in 
anticipation of supporting, reimbursement claims from academic 
affiliates with which VA maintains a business relationship.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    1. Veterans who have applied for healthcare services under Title 
38, United States Code, Chapter 17, and in certain cases members of 
their immediate families.
    2. Beneficiaries of other Federal agencies.
    3. Individuals examined or treated under contract or resource 
sharing agreements.
    4. Individuals examined or treated for research or donor purposes.
    5. Individuals who have applied for Title 38 benefits but who do 
not meet the requirements under Title 38 to receive such benefits.
    6. Individuals who were provided medical care under emergency 
conditions for humanitarian reasons.
    7. Pensioned members of allied forces (Allied Beneficiaries) who 
are provided healthcare services under Title 38, United States Code, 
Chapter 1.
    8. Healthcare professionals providing examination or treatment to 
any individuals within VA healthcare facilities.
    9. Healthcare professionals providing examination or treatment to 
individuals under contract or resource sharing agreements or Community 
Care programs, such as Choice.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records may include information related to:
    1. The social security number and insurance policy number of the 
Veteran and/or Veteran's spouse. The record may include other 
identifying

[[Page 11305]]

information (e.g., name, date of birth, age, sex, marital status) and 
address information (e.g., home and/or mailing address, home telephone 
number).
    2. Insurance company information specific to coverage of the 
Veteran and/or spouse to include annual deductibles and benefits.
    3. Diagnostic codes (ICD-10-CM, CPT-4, and any other coding system) 
pertaining to the individual's medical, surgical, psychiatric, dental 
and/or psychological examination or treatment.
    4. Charges claimed to a third party payer, including insurance 
companies, other Federal agencies, or foreign governments, based on 
treatment/services provided to the patient.
    5. Charges billed to those Veterans who are required to meet co-
payment obligations for treatment/services rendered by VA.
    6. The name, social security number, Drug Enforcement 
Administration (DEA) number, National Provider Identifier (NPI) and 
credentials including provider's degree, licensure, certification, 
registration or occupation of healthcare providers.
    7. Records of charges related to patient care that are created in 
anticipation of litigation in which the United States is a party or has 
an interest in the litigation or potential litigation, including a 
third-party tortfeasor, workers compensation, or no-fault automobile 
insurance cases. Such records are not subject to disclosure under 5 
U.S.C. 552a(d)(5).

RECORD SOURCE CATEGORIES:
    The patient, family members or guardian, and friends, employers or 
other third parties when otherwise unobtainable from the patient or 
family; health insurance carriers; private medical facilities and 
healthcare professionals; state and local agencies; other Federal 
agencies; VA regional offices; Veterans Benefits Administration 
automated record systems, including Veterans and
    Beneficiaries Identification and Records Location Subsystem--VA 
(38VA23) and the Compensation, Pension, Education and Rehabilitation 
Records--VA (58VA21/22); and various automated systems providing 
clinical and facilities to include Health Care Provider Credentialing 
and Privileging Records--VA (77VA10A4) and Veterans Health Information 
Systems and Technology Architecture (VistA) (79VA10P2).

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    To the extent that records contained in the system include 
information protected by 45 CFR parts 160 and 164, i.e., individually-
identifiable health information, and 38 U.S.C. 7332; i.e., medical 
treatment information related to drug abuse, alcoholism or alcohol 
abuse, sickle cell anemia or infection with the human immunodeficiency 
virus, that information cannot be disclosed under a routine use unless 
there is also specific statutory authority in 38 U.S.C. 7332 and 
regulatory authority in 45 CFR parts 160 and 164 permitting disclosure.
    1. On its own initiative, VA may disclose information, except for 
the names and home address of veterans and their dependents, to a 
Federal, state, local, tribal or foreign agency charged with the 
responsibility of investigating or prosecuting civil, criminal or 
regulatory violations of law, or charged with enforcing or implementing 
the statute, regulation, rule or order issued pursuant thereto. On its 
own initiative, VA may also disclose the names and addresses of 
Veterans and their dependents to a Federal agency charged with the 
responsibility of investigating or prosecuting civil, criminal or 
regulatory violations of law, or charged with enforcing or implementing 
the statute, regulation, rule or order issued pursuant thereto.
    2. Disclosure may be made to an agency in the executive, 
legislative, or judicial branch, or the District of Columbia government 
in response to its request or at the initiation of VA, in connection 
with the letting of a contract, other benefits by the requesting 
agency, or the lawful statutory, administrative, or investigative 
purpose of the agency to the extent that the information is relevant 
and necessary to the requesting agency's decision. However, names and 
addresses of veterans and their dependents will be released only to 
Federal entities.
    3. Disclosure may be made to a Congressional office from the record 
of an individual in response to an inquiry from the Congressional 
office made at the request of that individual.
    4. Disclosure may be made to National Archives and Records 
Administration (NARA) in records management inspections conducted under 
authority of Title 44 U.S.C.
    5. Disclosure may be made to the Department of Justice and United 
States attorneys in defense or prosecution of litigation involving the 
United States, and to Federal agencies upon their request in connection 
with review of administrative tort claims filed under the Federal Tort 
Claims Act, 28 U.S.C. 2672.
    6. Any information in this system of records, including personal 
information obtained from other Federal agencies through computer-
matching programs, may be disclosed for the purposes identified below 
to any third party, except consumer reporting agencies, in connection 
with any proceeding for the collection of an amount owed to the United 
States by virtue of a person's participation in any benefit program 
administered by VA. Information may be disclosed under this routine use 
only to the extent that it is reasonably necessary for the following 
purposes: (a) To assist VA in collection of Title 38 overpayments, 
overdue indebtedness, and/or costs of services provided individuals not 
entitled to such services; and (b) to initiate civil or criminal legal 
actions for collecting amounts owed to the United States and/or for 
prosecuting individuals who willfully or fraudulently obtain Title 38 
benefits without entitlement. This disclosure is consistent with 38 
U.S.C. 5701(b)(6).
    7. The name and address of a veteran, other information as is 
reasonably necessary to identify such Veteran, including personal 
information obtained from other Federal agencies through computer 
matching programs, and any information concerning the Veteran's 
indebtedness to the United States by virtue of the person's 
participation in a benefits program administered by VA may be disclosed 
to a consumer reporting agency for purposes of assisting in the 
collection of such indebtedness, provided that the provisions of 38 
U.S.C. 5701(g)(4) have been met.
    8. The name of a veteran, or other beneficiary, other information 
as is reasonably necessary to identify such individual, and any 
information concerning the individual's indebtedness by virtue of a 
person's participation in a medical care and treatment program 
administered by VA, may be disclosed to the Treasury Department, 
Internal Revenue Service, for the collection of indebtedness arising 
from such program by the withholding of all or a portion of the 
person's Federal income tax refund. These records may be disclosed as 
part of a computer-matching program to accomplish these purposes.
    9. Relevant information (excluding medical treatment information 
related to drug or alcohol abuse, infection with the human 
immunodeficiency virus or sickle cell anemia) may be disclosed to HHS 
for the purpose of identifying improper duplicate payments made by 
Medicare fiscal intermediaries where VA was authorized and was 
responsible for payment for medical services obtained at community 
healthcare facilities.

[[Page 11306]]

    10. The social security number, universal personal identification 
number, NPI, credentials, and other identifying information of a 
healthcare provider may be disclosed to a third party where the third 
party requires the Department provide that information before it will 
pay for medical care provided by VA.
    11. Relevant information may be disclosed to individuals, 
organizations, private or public agencies, etc., with whom VA has a 
contract or agreement to perform such services as VA may deem practical 
for the purposes of laws administered by VA, in order for the 
contractor and/or subcontractor to perform the services of the contract 
or agreement.
    12. Relevant information from this system of records may be 
disclosed to the National Practitioner Data Bank and/or State Licensing 
Board in the State(s) in which a practitioner is licensed, in which the 
VA facility is located, and/or in which an act or omission occurred 
upon which a medical malpractice claim was based when VA reports 
information concerning: (a) Any payment for the benefit of a physician, 
dentist, or other licensed healthcare practitioner which was made as 
the result of a settlement or judgment of a claim of medical 
malpractice if an appropriate determination is made in accordance with 
agency policy that payment was related to substandard care, 
professional incompetence or professional misconduct on the part of the 
individual; (b) a final decision which relates to possible incompetence 
or improper professional conduct that adversely affects the clinical 
privileges of a physician, dentist or other licensed healthcare 
practitioner for a period longer than 30 days; or, (c) the acceptance 
of the surrender of clinical privileges, or any restriction of such 
privileges by a physician, dentist, or other licensed healthcare 
practitioner either while under investigation by the healthcare entity 
relating to possible incompetence or improper professional conduct, or 
in return for not conducting such an investigation or proceeding. These 
records may also be disclosed as part of a computer-matching program to 
accomplish these purposes.
    13. Relevant information may be disclosed from this system of 
records to any third party or Federal agency such as the Department of 
Defense, Office of Personnel Management, HHS and government-wide third-
party insurers responsible for payment of the cost of medical care for 
the identified patients, in order for VA to seek recovery of the 
medical care costs. These records may also be disclosed as part of a 
computer matching program to accomplish these purposes.
    14. Relevant information, including the nature and amount of a 
financial obligation, may be disclosed in order to assist VA in the 
collection of unpaid financial obligations owed VA, to a debtor's 
employing agency or commanding officer, so that the debtor employee may 
be counseled by his or her Federal employer or commanding officer. This 
purpose is consistent with 5 U.S.C. 5514, 4 CFR 102.5, and section 206 
of Executive Order 11222 of May 8, 1965 (30 FR 6469).
    15. Identifying information such as name, address, social security 
number and other information as is reasonably necessary to identify 
such individual, may be disclosed to the National Practitioner Data 
Bank at the time of hiring and/or clinical privileging/re-privileging 
of healthcare practitioners, and at other times as deemed necessary by 
VA, in order for VA to obtain information relevant to a Department 
decision concerning the hiring, privileging/re-privileging, retention 
or termination of the applicant or employee.
    16. Disclosure of individually identifiable health information 
including billing information for the payment of care may be made by 
appropriate VA personnel, to the extent necessary and on a need-to-know 
basis consistent with good medical-ethical practices, to family members 
and/or the person(s) with whom the patient has a meaningful 
relationship.
    17. Provider identifying information may be disclosed from this 
system of records to CMS to test the enumeration system for the NPI and 
once the system is operational, to obtain an NPI for any eligible 
healthcare professional providing examination or treatment with VA 
healthcare facilities.
    18. Relevant information may be disclosed to community health care 
providers or their agents where the community health care provider 
provides health care treatment to veterans and requires the Department 
provide that information in order for that entity or its agent to 
submit, or in anticipation of submission of, a health care 
reimbursement claim or, in the case of the NPI, for permissible 
purposes specified in the HIPAA legislation (45 CFR part 162).
    19. Relevant information may be disclosed to an academic affiliate 
with which VA maintains a business relationship, where the VA provider 
also maintains an appointment to that academic affiliate's medical 
staff. This disclosure is to support, or in anticipation of supporting, 
a health care reimbursement claim(s) or, in the case of the NPI, for 
permissible purposes specified in the HIPAA legislation (45 CFR part 
162).
    20. Any records may be disclosed to appropriate agencies, entities, 
and persons under the following circumstances: When (1) it is suspected 
or confirmed that the security or confidentiality of information in the 
system of records has been compromised; (2) the Department has 
determined that as a result of the suspected or confirmed compromise 
there is a risk of embarrassment or harm to the reputations of the 
record subjects, harm to economic or property interests, identity theft 
or fraud, or harm to the security or integrity of this system or other 
systems or programs (whether maintained by the Department or another 
agency or entity) that rely upon the compromised information; and (3) 
the disclosure is made to such agencies, entities, and persons who are 
reasonably necessary to assist in connection with the Department's 
efforts to respond to the suspected or confirmed compromise and 
prevent, minimize, or remedy such harm. This routine use permits 
disclosures by VA to respond to a suspected or confirmed data breach, 
including the conduct of any risk analysis or provision of credit 
protection services as provided in 38 U.S.C. 5724, as the terms are 
defined in 38 U.S.C. 5727.
    a. Effective Response. A federal agency's ability to respond 
quickly and effectively in the event of a breach of federal data is 
critical to its efforts to prevent or minimize any consequent harm. An 
effective response necessitates disclosure of information regarding the 
breach to those individuals affected by it, as well as to persons and 
entities in a position to cooperate, either by assisting in 
notification to affected individuals or playing a role in preventing or 
minimizing harms from the breach.
    b. Disclosure of Information. Often, the information to be 
disclosed to such persons and entities is maintained by federal 
agencies and is subject to the Privacy Act (5 U.S.C. 552a). The Privacy 
Act prohibits the disclosure of any record in a system of records by 
any means of communication to any person or agency absent the written 
consent of the subject individual, unless the disclosure falls within 
one of twelve statutory exceptions. In order to ensure an agency is in 
the best position to respond in a timely and effective manner, in 
accordance with 5 U.S.C. 552a(b)(3) of the Privacy Act, agencies should 
publish a routine use for

[[Page 11307]]

appropriate systems specifically applying to the disclosure of 
information in connection with response and remedial efforts in the 
event of a data breach.
    21. VA may disclose information in this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that release of the records to the DoJ 
is a use of the information contained in the records that is compatible 
with the purpose for which VA collected the records. VA, on its own 
initiative, may disclose records in this system of records in legal 
proceedings before a court or administrative body after determining 
that the disclosure of the records to the court or administrative body 
is a use of the information contained in the records that is compatible 
with the purpose for which VA collected the records.
    22. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    23. VA may, on its own initiative, disclose information from this 
system to another Federal agency or Federal entity, when VA determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (1) responding to a suspected 
or confirmed breach or (2) preventing, minimizing, or remedying the 
risk of harm to individuals, the recipient agency or entity (including 
its information systems, programs, and operations), the Federal 
Government, or national security, resulting from a suspected or 
confirmed breach.
    24. VA may disclose relevant information to attorneys, insurance 
companies, employers, third parties liable or potentially liable under 
health plan contracts, and courts, boards, or commissions, to the 
extent necessary to aid VA in the preparation, presentation, and 
prosecution of claims authorized under Federal, State, or local laws, 
and regulations promulgated thereunder.
    25. VA may disclose relevant information to health plans, quality 
review and/or peer review organizations in connection with the audit of 
claims or other review activities to determine quality of care or 
compliance with professionally accepted claims processing standards.

DISCLOSURE TO CONSUMER REPORTING AGENCIES:
    Pursuant to 5 U.S.C. 552a(b)(12), VA may disclose records from this 
system to consumer reporting agencies as defined in the Fair Credit 
Reporting Act (15 U.S.C. 1681a(f)) or the Federal Claims Collection Act 
of 1966 (31 U.S.C. 3701(a)(3)).

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are maintained on paper or electronic media.

POLICIES AND PRACTICES FOR RETRIEVABILITY OF RECORDS:
    Records are retrieved by name, social security number or other 
assigned identifier of the individuals on whom they are maintained, or 
by specific bill number assigned to the claim of the individuals on 
whom they are maintained.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Follow the requirement of RCS 10-1 Chapter 4 Item 4000.1 a & b.
    4000.1 Financial transaction records related to procuring goods and 
services, paying bills, collecting debts, and accounting.
    a. Official record held in the office of record.
    Temporary; destroy 6 years after final payment or cancellation, but 
longer retention is authorized if required for business use. (GRS 1.1, 
Item 010) (DAA-GRS-2016-0001-0002).
    b. All Other copies.
    Temporary; destroy or delete when 6 years old, but longer retention 
is authorized if required for business use. (GRS 1.1 item 013) (DAA-
GRS-2016-0001-0002).

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    1. Access to VA working and storage areas is restricted to VA 
employees on a ``need-to-know'' basis; strict control measures are 
enforced to ensure that disclosure to these individuals is also based 
on this same principle. Generally, VA file areas are locked after 
normal duty hours and the facilities are protected from outside access 
by the Federal Protective Service or other security personnel.
    2. Information in VistA may only be accessed by authorized VA 
personnel. Access to file information is controlled at two levels. The 
systems recognize authorized personnel by series of individually unique 
passwords/codes as a part of each data message, and personnel are 
limited to only that information in the file, which is needed in the 
performance of their official duties. Information that is downloaded 
from VistA and maintained on personal computers is afforded similar 
storage and access protections as the data that is maintained in the 
original files. Access to information stored on automated storage media 
at other VA locations is controlled by individually unique passwords/
codes. Access by Office of Inspector General (OIG) staff conducting an 
audit, investigation, or inspection at the healthcare facility, or an 
OIG office location remote from the healthcare facility, is controlled 
in the same manner.
    3. Information downloaded from VistA and maintained by the OIG 
headquarters and Field Offices on automated storage media is secured in 
storage areas for facilities to which only OIG staff have access. Paper 
documents are similarly secured. Access to paper documents and 
information on automated storage media is limited to OIG employees who 
have a need for the information in the performance of their official 
duties. Access to information stored on automated storage media is 
controlled by individually unique passwords/codes.
    4. Access to the VA Austin Information Technology Center (AITC) is 
generally restricted to AITC employees, custodial personnel, Federal 
Protective Service and other security personnel. Access to computer 
rooms is restricted to authorized operational personnel through 
electronic locking devices. All other persons gaining access to 
computer rooms are escorted. Information stored in the AITC databases 
may be accessed.
    5. Access to records maintained at the VA Allocation Resource 
Center (ARC) and the VISN Offices is restricted to VA employees who 
have a need for the information in the performance of their official 
duties. Access to information stored in electronic format is controlled 
by individually unique passwords/codes. Records are maintained in 
manned rooms during working hours. The facilities are protected from 
outside access during non-working hours by the Federal Protective 
Service or other security personnel.

RECORD ACCESS PROCEDURE:
    Individuals seeking information regarding access to and contesting 
of records in this system may write, call or visit the VA facility 
location where they were treated.

CONTESTING RECORD PROCEDURES:
    (See Record Access Procedures above.)

[[Page 11308]]

NOTIFICATION PROCEDURE:
    An individual who wishes to determine whether a record is being 
maintained in this system under his or her name or other personal 
identifier, or wants to determine the contents of such record, should 
submit a written request or apply in person to the last VA healthcare 
facility where care was rendered. Addresses of VA healthcare facilities 
may be found in VA Appendix 1 of the biennial publication of VA Privacy 
Act Issuances. All inquiries must reasonably identify the place and 
approximate date that medical care was provided. Inquiries should 
include the patient's full name, social security number, insurance 
company information, policyholder and policy identification number as 
well as a return address.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    Last full publication provided in 70 FR 55207.

[FR Doc. 2018-05085 Filed 3-13-18; 8:45 am]
 BILLING CODE 8320-01-P