[Federal Register Volume 83, Number 242 (Tuesday, December 18, 2018)]
[Notices]
[Pages 64935-64940]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-27334]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF VETERANS AFFAIRS
Privacy Act of 1974; System of Records
AGENCY: Department of Veterans Affairs (VA).
ACTION: Notice of a new system of records.
-----------------------------------------------------------------------
SUMMARY: The Privacy Act of 1974 requires that all agencies publish in
the Federal Register a notice of the existence and character of their
systems of records. Notice is hereby given that the Department of
Veterans Affairs (VA) is establishing a new system of records entitled,
``HealthShare Referral Manager (HSRM)-VA'' (180VA10D).
DATES: Comments on this new system of records must be received no later
than January 17, 2019. If no public comment is received during the
period allowed for comment or unless otherwise published in the Federal
Register by VA, the new system will become effective January 17, 2019.
If VA receives public comments, VA shall review the comments to
determine whether any changes to the notice are necessary.
ADDRESSES: Written comments concerning the new system of records may be
submitted by: Mail or hand-delivery to Director, Regulations Management
(00REG), Department of Veterans Affairs, 810 Vermont Avenue NW, Room
1068, Washington, DC 20420; fax to (202) 273-9026; or Email to http://www.Regulations.gov. Comments should indicate that they are submitted
in response to ``HealthShare Referral Manager (HSRM)-VA'' (180VA10D).
All comments received will be available for public inspection in the
Office of Regulation Policy and Management, Room 1063B, between the
hours of 8:00 a.m. and 4:30 p.m., Monday through Friday (except
holidays). Please call (202) 461-4902 (this is not a toll-free number)
for an appointment.
FOR FURTHER INFORMATION CONTACT: Kevin Kania, Program Manager,
Community Care Referrals and
[[Page 64936]]
Authorization (CCRA) System, Office of Community Care, Hines Office of
Information and Technology Field Office, Edward Hines, Jr. VA Hospital,
P.O. Box 7008, Building 37, Room 128, Hines, IL 60141; telephone at
(815) 254-0334. (This is not a toll-free number.)
SUPPLEMENTARY INFORMATION:
I. Description of Proposed Systems of Records
CCRA is an enterprise-wide solution in support of the Veterans
Access, Choice, and Accountability Act of 2014 (Pub. L. 113-146)
(``Choice Act''), as amended by the VA Expiring Authorities Act of 2014
(Pub. L. 113-175), to generate referrals and authorizations for
Veterans receiving care in the community. VA clinical providers and
Non-VA clinical providers will access a cloud based software system to
request and refer clinical care for Veterans with Non-VA Community Care
providers. This solution will enhance Veteran access to care by
utilizing a common and modern system to orchestrate the complex
business of VA referral management. The CCRA solution is an integral
component of the VA Community Care (CC) Information Technology (IT)
architecture, and will track and share health care information and
correspondence necessary for Veterans to be seen for appropriate and
approved episodes of CC. The CCRA solution will allow the VA to move to
a process that generates standardized referrals and authorizations,
according to clinical and business rules.
The CCRA project completed a contract to provide HealthShare
Referral Manager by Intersystems as the CCRA solution. HealthShare
Referral Manager is a commercial off-the-shelf software product that
will be hosted in an Amazon Web Services (AWS) FedRAMP High Gov cloud
and is planned for enterprise integration with VA systems, both inside
and outside of CC.
II. Proposed Routine Use Disclosures of Data in the System
We are proposing to establish the following Routine Use disclosures
of information maintained in the system. To the extent that records
contained in the system include information protected by 38 U.S.C.
7332, i.e., medical treatment information related to drug abuse,
alcoholism or alcohol abuse, sickle cell anemia or infection with the
human immunodeficiency virus; information protected by 38 U.S.C. 5705,
i.e., quality assurance records; or information protected by 45 CFR
parts 160 and 164, i.e., individually identifiable health information,
such information cannot be disclosed under a routine use unless there
is also specific statutory authority permitting the disclosure. VA may
disclose protected health information pursuant to the following routine
uses where required or permitted by law.
1. VA may disclose information from the record of an individual in
response to an inquiry from the congressional office made at the
request of that individual. VA must be able to provide information
about individuals to adequately respond to inquiries from Members of
Congress at the request of constituents who have sought their
assistance.
2. VA may disclose information from this system to appropriate
agencies, entities, and persons when (1) VA suspects or has confirmed
that there has been a breach of the system of records; (2) VA has
determined that as a result of the suspected or confirmed breach there
is a risk of harm to individuals, VA (including its information
systems, programs, and operations), the Federal Government, or national
security; and (3) the disclosure made to such agencies, entities, and
persons is reasonably necessary to assist in connection with VA's
efforts to respond to the suspected or confirmed breach or to prevent,
minimize, or remedy such harm.
3. VA may disclose information in this system, except the names and
home addresses of Veterans and their dependents, which is relevant to a
suspected or reasonably imminent violation of law, whether civil,
criminal or regulatory in nature and whether arising by general or
program statute or by regulation, rule or order issued pursuant
thereto, to a Federal, state, local, tribal, or foreign agency charged
with the responsibility of investigating or prosecuting such violation,
or charged with enforcing or implementing the statute, regulation, rule
or order. On its own initiative, VA may also disclose the names and
addresses of Veterans and their dependents to a Federal agency charged
with the responsibility of investigating or prosecuting civil, criminal
or regulatory violations of law, or charged with enforcing or
implementing the statute, regulation, rule or order issued pursuant
thereto. VA must be able to provide on its own initiative information
that pertains to a violation of laws to law enforcement authorities in
order for them to investigate and enforce those laws. Under 38 U.S.C.
5701(a) and (f), VA may only disclose the names and addresses of
Veterans and their dependents to Federal entities with law enforcement
responsibilities. This is distinct from the authority to disclose
records in response to a qualifying request from a law enforcement
entity, as authorized by Privacy Act subsection 5 U.S.C. 552a(b)(7).
4. VA may disclose information from this system of records to the
Department of Justice (DoJ), either on VA's initiative or in response
to DoJ's request for the information, after either VA or DoJ determines
that such information is relevant to DoJ's representation of the United
States or any of its components in legal proceedings before a court or
adjudicative body, provided that, in each case, the agency also
determines prior to disclosure that release of the records to the DoJ
is a use of the information contained in the records that is compatible
with the purpose for which VA collected the records. VA, on its own
initiative, may disclose records in this system of records in legal
proceedings before a court or administrative body after determining
that the disclosure of the records to the court or administrative body
is a use of the information contained in the records that is compatible
with the purpose for which VA collected the records. VA must be able to
provide information to DoJ in litigation where the United States or any
of its components is involved or has an interest. A determination would
be made in each instance that under the circumstances involved, the
purpose is compatible with the purpose for which VA collected the
information. This routine use is distinct from the authority to
disclose records in response to a court order under subsection (b)(11)
of the Privacy Act, 5 U.S.C. 552(b)(11), or any other provision of
subsection (b), in accordance with the court's analysis in Doe v.
DiGenova, 779 F.2d 74, 78-84 (D.C. Cir. 1985) and Doe v. Stephens, 851
F.2d 1457, 1465-67 (D.C. Cir. 1988).
5. VA may disclose information from this system of records to
individuals, organizations, private or public agencies, or other
entities or individuals with whom VA has a contract or agreement to
perform such services as VA may deem practicable for the purposes of
laws administered by VA, in order for the contractor, subcontractor,
public or private agency, or other entity or individual with whom VA
has a contract or agreement to perform services under the contract or
agreement. This routine use includes disclosures by an individual or
entity performing services for VA to any secondary entity or individual
to perform an activity that is necessary for individuals,
organizations, private or public agencies, or other entities or
individuals with whom VA has a contract or agreement to provide the
[[Page 64937]]
service to VA. This routine use, which also applies to agreements that
do not qualify as contracts defined by Federal procurement laws and
regulations, is consistent with the Office of Management and Budget
(OMB) guidance in OMB Circular A-108, paragraph 6(j) that agencies
promulgate routine uses to address disclosure of Privacy Act-protected
information to contractors in order to perform the services contracts
for the agency.
6. VA may disclose information from this system to the Equal
Employment Opportunity Commission (EEOC) when requested in connection
with investigations of alleged or possible discriminatory practices,
examination of Federal affirmative employment programs, or other
functions of the Commission as authorized by law or regulation. VA must
be able to provide information to EEOC to assist it in fulfilling its
duties to protect employees' rights, as required by statute and
regulation.
7. VA may disclose information from this system to the Federal
Labor Relations Authority (FLRA), including its General Counsel,
information related to the establishment of jurisdiction,
investigation, and resolution of allegations of unfair labor practices,
or in connection with the resolution of exceptions to arbitration
awards when a question of material fact is raised; for it to address
matters properly before the Federal Services Impasses Panel,
investigate representation petitions, and conduct or supervise
representation elections. VA must be able to provide information to
FLRA to comply with the statutory mandate under which it operates.
8. VA may disclose information from this system to the Merit
Systems Protection Board (MSPB), or the Office of the Special Counsel,
when requested in connection with appeals, special studies of the civil
service and other merit systems, review of rules and regulations,
investigation of alleged or possible prohibited personnel practices,
and such other functions promulgated in 5 U.S.C. 1205 and 1206, or as
authorized by law. VA must be able to provide information to MSPB to
assist it in fulfilling its duties as required by statute and
regulation.
9. VA may disclose information from this system to the National
Archives and Records Administration (NARA) and General Services
Administration (GSA) in records management inspections conducted under
Title 44, U.S.C. NARA is responsible for archiving old records which
are no longer actively used but may be appropriate for preservation,
and for the physical maintenance of the Federal government's records.
VA must be able to provide the records to NARA in order to determine
the proper disposition of such records.
10. Data breach response and remedial efforts with another Federal
agency: VA may disclose information from this system to another Federal
agency or Federal entity, when VA determines that information from this
system of records is reasonably necessary to assist the recipient
agency or entity in (1) responding to a suspected or confirmed breach
or (2) preventing, minimizing, or remedying the risk of harm to
individuals, the recipient agency or entity (including its information
systems, programs, and operations), the Federal Government, or national
security, resulting from a suspected or confirmed breach.
11. Disclosure to other Federal agencies may be made to assist such
agencies in preventing and detecting possible fraud or abuse by
individuals in their operations and programs.
12. VA may disclose relevant health care information to (a) a
Federal agency or non-VA health care provider or institution when VA
refers a patient for hospital or nursing home care or medical services,
or authorizes a patient to obtain non-VA medical services, and the
information is needed by the Federal agency or non-VA institution or
provider to perform the services, or (b) a Federal agency or a non-VA
hospital (Federal, State and local, public, or private) or other
medical installation having hospital facilities, blood banks, or
similar institutions, medical schools or clinics, or other groups or
individuals that have contracted or agreed to provide medical services
or share the use of medical resources under the provisions of 38 U.S.C.
513, 7409, 8111, or 8153, when treatment is rendered by VA under the
terms of such contract or agreement, or the issuance of an
authorization, and the information is needed for purposes of medical
treatment and/or follow-up, determining entitlement to a benefit, or
recovery of the costs of the medical care.
III. Compatibility of the Proposed Routine Uses
The Privacy Act permits VA to disclose information about
individuals without their consent for a routine use when the
information will be used for a purpose that is compatible with the
purpose for which VA collected the information. In all of the routine
use disclosures described above, either the recipient of the
information will use the information in connection with a matter
relating to one of VA's programs, to provide a benefit to the VA, or to
disclose information as required by law.
Under section 264, Subtitle F of Title II of the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) Public Law 104-191,
100 Stat. 1936, 2033-34 (1996), the United States Department of Health
and Human Services (HHS) published a final rule, as amended,
establishing Standards for Privacy of Individually-Identifiable health
Information, 45 CFR parts 160 and 164. Veterans Health Administration
(VHA) may not disclose individually identifiable health information (as
defined in HIPAA and the Privacy Rule, 42 U.S.C. 1320(d)(6) and 45 CFR
164.501) pursuant to a routine use unless either: (a) The disclosure is
required by law, or (b) the disclosure is also permitted or required by
HHS' Privacy Rule. The disclosures of individually-identifiable health
information contemplated in the routine uses published in this new
system of records notice are permitted under the Privacy Rule or
required by law. However, to also have authority to make such
disclosures under the Privacy Act, VA must publish these routine uses.
Consequently, VA is publishing these routine uses to the routine uses
portion of the system of records notice stating that any disclosure
pursuant to the routine uses in this system of records notice must be
either required by law or permitted by the Privacy Rule, before VHA may
disclose the covered information.
The notice of intent to publish and an advance copy of the system
notice have been sent to the appropriate Congressional committees and
to the Director, Office of Management and Budget, as required by 5
U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR
77677), December 12, 2000.
Signing Authority
The Senior Agency Official for Privacy, or designee, approved this
document and authorized the undersigned to sign and submit the document
to the Office of the Federal Register for publication electronically as
an official document of the Department of Veterans Affairs. James B.
Ford, Acting Executive Director for Privacy, Quality, Privacy, and
Risk, Department of Veterans Affairs approved this document on July 16,
2018 for publication.
[[Page 64938]]
Dated: December 13, 2018.
Kathleen M. Manwell,
Program Analyst, VA Privacy Service, Office of Information and
Technology, Department of Veterans Affairs.
SYSTEM NAME AND NUMBER:
HealthShare Referral Manager (HSRM)-VA (180VA10D)
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
Amazon Web Services, LLC, 13461 Sunrise Valley Drive, Herndon, VA
20171-3283. Community Care Referrals and Authorization (CCRA) System
Program Manager, Office of Community Care, Hines Office of Information
and Technology Field Office, Edward Hines, Jr. VA Hospital, P.O. Box
7008, Building 37, Room 128, Hines, IL 60141.
SYSTEM MANAGER(S):
Officials responsible for policies and procedures: Program Manager,
VHA Office of Community Care (10D), Health Eligibility Center, 2957
Clairmont Road, Suite 200 Atlanta, GA 30329-1647. Telephone number
(815) -254-0334. (This is not a toll-free number.)
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Title 38, United States Code, section 7301(a) and Veterans Access,
Choice, and Accountability Act of 2014 (Pub. L. 113-146).
PURPOSE(S) OF THE SYSTEM:
CCRA is an enterprise-wide system used by community care staff to
automatically generate referrals and authorizations for all Veterans
receiving care in the community. The system is an integral component of
the VA community care information technology (IT) architecture, and
will allow Veterans to receive care from community providers within the
Community Care Network through the Veterans Choice Program. The CCRA
system will allow these providers to view relevant patient and clinical
information from Veterans Information Systems and Technology
Architecture (VistA). The exchange of health care information and
authorizations will enhance VA's ability to ensure that Veterans
receive the best health care available to address their medical needs.
The CCRA system will also enable the VA to move from what is currently
a largely manual process to an automated process that generates
standardized referrals and authorizations according to clinical and
business rules. The automated process will decrease the administrative
burden on VA clinical and community care staff members by way of
establishing clinical and business pathways that which reflect best
processes, consistent outcomes, and reduced turnaround times.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
The records include information concerning:
1. Veterans who have applied for health care services under Title
38, United States Code, Chapter 17, and in certain cases members of
their immediate families.
2. Individuals examined or treated under contract or resource
sharing agreements.
3. Individuals who were provided medical care under emergency
conditions for humanitarian reasons.
4. Health care professionals providing examination or treatment to
any individuals within VA health care facilities.
5. Healthcare professionals providing examination or treatment to
individuals under contract or resource sharing agreements or CC
programs, such as Choice.
6. Patients and members of their immediate family, volunteers,
maintenance personnel, as well as individuals working collaboratively
with VA.
7. Contractors, sub-contractors, contract personnel, students,
providers and consultants.
CATEGORIES OF RECORDS IN THE SYSTEM:
The records may include information and health information related
to:
1. Identifying information (e.g., name, birth date, death date,
admission date, discharge date, gender, social security number,
taxpayer identification number); address information (e.g., home and/or
mailing address, home telephone number, emergency contact information
such as name, address, telephone number, and relationship); prosthetic
and sensory aid serial numbers; medical record numbers; integration
control numbers; information related to medical examination or
treatment (e.g., location of VA medical facility providing examination
or treatment, treatment dates, medical conditions treated or noted on
examination); information related to military service and status.
2. Computer access authorizations, computer applications available
and used, information access attempts, frequency and time of use;
identification of the person responsible for, currently assigned, or
otherwise engaged in various categories of patient care or support of
health care delivery.
3. Application, eligibility, and claim information regarding
payment determination for medical services provided to VA beneficiaries
by non-VA health care institutions and providers.
4. Health care provider's name, address, and taxpayer
identification number, correspondence concerning individuals and
documents pertaining to claims for medical services, reasons for denial
of payment, and appellate determinations.
RECORD SOURCE CATEGORIES:
The Veteran or other VA beneficiary, family members or accredited
representatives, and other third parties; private medical facilities
and healthcare professionals; health insurance carriers; other Federal
agencies; employees; contractors; VHA facilities and automated systems
providing clinical and managerial support at VA health care facilities.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND PURPOSES OF SUCH USES:
1. VA may disclose information from the record of an individual in
response to an inquiry from the congressional office made at the
request of that individual.
2. VA may disclose information from this system to appropriate
agencies, entities, and persons when (1) VA suspects or has confirmed
that there has been a breach of the system of records; (2) VA has
determined that as a result of the suspected or confirmed breach there
is a risk of harm to individuals, VA (including its information
systems, programs, and operations), the Federal Government, or national
security; and (3) the disclosure made to such agencies, entities, and
persons is reasonably necessary to assist in connection with VA's
efforts to respond to the suspected or confirmed breach or to prevent,
minimize, or remedy such harm.
This routine use permits disclosures by the Department to respond
to a suspected or confirmed data breach, including the conduct of any
risk analysis or provision of credit protection services as provided in
38 U.S.C. 5724
a. Effective Response. A Federal agency's ability to respond
quickly and effectively in the event of a breach of Federal data is
critical to its efforts to prevent or minimize any consequent harm. An
effective response necessitates disclosure of information regarding the
breach to those individuals affected by it, as well as to persons and
entities in a position to cooperate, either by assisting in
notification to affected individuals or playing a role in preventing or
minimizing harms from the breach.
[[Page 64939]]
b. Disclosure of Information. Often, the information to be
disclosed to such persons and entities is maintained by Federal
agencies and is subject to the Privacy Act (5 U.S.C. 552a). The Privacy
Act prohibits the disclosure of any record in a system of records by
any means of communication to any person or agency absent the written
consent of the subject individual, unless the disclosure falls within
one of twelve statutory exceptions. In order to ensure an agency is in
the best position to respond in a timely and effective manner, in
accordance with 5 U.S.C. 552a(b)(3) of the Privacy Act, agencies should
publish a routine use for appropriate systems specifically applying to
the disclosure of information in connection with response and remedial
efforts in the event of a data breach.
3. VA may, on its own initiative, disclose information in this
system, except the names and home addresses of Veterans and their
dependents, which is relevant to a suspected or reasonably imminent
violation of law, whether civil, criminal or regulatory in nature and
whether arising by general or program statute or by regulation, rule or
order issued pursuant thereto, to a Federal, state, local, tribal, or
foreign agency charged with the responsibility of investigating or
prosecuting such violation, or charged with enforcing or implementing
the statute, regulation, rule or order. On its own initiative, VA may
also disclose the names and addresses of Veterans and their dependents
to a Federal agency charged with the responsibility of investigating or
prosecuting civil, criminal or regulatory violations of law, or charged
with enforcing or implementing the statute, regulation, rule or order
issued pursuant thereto.
4. VA may disclose information from this system of records to the
Department of Justice (DoJ), either on VA's initiative or in response
to DoJ's request for the information, after either VA or DoJ determines
that such information is relevant to DoJ's representation of the United
States or any of its components in legal proceedings before a court or
adjudicative body, provided that, in each case, the agency also
determines prior to disclosure that release of the records to the DoJ
is a use of the information contained in the records that is compatible
with the purpose for which VA collected the records. VA, on its own
initiative, may disclose records in this system of records in legal
proceedings before a court or administrative body after determining
that the disclosure of the records to the court or administrative body
is a use of the information contained in the records that is compatible
with the purpose for which VA collected the records.
5. VA may disclose information from this system of records to
individuals, organizations, private or public agencies, or other
entities or individuals with whom VA has a contract or agreement to
perform such services as VA may deem practicable for the purposes of
laws administered by VA, in order for the contractor, subcontractor,
public or private agency, or other entity or individual with whom VA
has a contract or agreement to perform services under the contract or
agreement.
6. VA may disclose information from this system to the Equal
Employment Opportunity Commission (EEOC) when requested in connection
with investigations of alleged or possible discriminatory practices,
examination of Federal affirmative employment programs, or other
functions of the Commission as authorized by law or regulation.
7. VA may disclose information from this system to the Federal
Labor Relations Authority (FLRA), including its General Counsel,
information related to the establishment of jurisdiction,
investigation, and resolution of allegations of unfair labor practices,
or in connection with the resolution of exceptions to arbitration
awards when a question of material fact is raised; for it to address
matters properly before the Federal Service Impasses Panel, investigate
representation petitions, and conduct or supervise representation
elections.
8. VA may disclose information from this system to the Merit
Systems Protection Board (MSPB), or the Office of the Special Counsel,
when requested in connection with appeals, special studies of the civil
service and other merit systems, review of rules and regulations,
investigation of alleged or possible prohibited personnel practices,
and such other functions promulgated in 5 U.S.C. 1205 and 1206, or as
authorized by law.
9. VA may disclose information from this system to the National
Archives and Records Administration (NARA) and General Services
Administration (GSA) in records management inspections conducted under
title 44, U.S.C. NARA is responsible for archiving old records which
are no longer actively used but may be appropriate for preservation,
and for the physical maintenance of the Federal government's records.
10. VA may disclose information from this system to another Federal
agency or Federal entity, when VA determines that information from this
system of records is reasonably necessary to assist the recipient
agency or entity in (1) responding to a suspected or confirmed breach
or (2) preventing, minimizing, or remedying the risk of harm to
individuals, the recipient agency or entity (including its information
systems, programs, and operations), the Federal Government, or national
security, resulting from a suspected or confirmed breach.
11. Disclosure to other Federal agencies may be made to assist such
agencies in preventing and detecting possible fraud or abuse by
individuals in their operations and programs.
12. VA may disclose relevant health care information to (a) a
Federal agency or non-VA health care provider or institution when VA
refers a patient for hospital or nursing home care or medical services,
or authorizes a patient to obtain non-VA medical services, and the
information is needed by the Federal agency or non-VA institution or
provider to perform the services, or (b) a Federal agency or a non-VA
hospital (Federal, State and local, public, or private) or other
medical installation having hospital facilities, blood banks, or
similar institutions, medical schools or clinics, or other groups or
individuals that have contracted or agreed to provide medical services
or share the use of medical resources under the provisions of 38 U.S.C.
513, 7409, 8111, or 8153, when treatment is rendered by VA under the
terms of such contract or agreement, or the issuance of an
authorization, and the information is needed for purposes of medical
treatment and/or follow-up, determining entitlement to a benefit, or
recovery of the costs of the medical care.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
CCRA relies on information in VistA, and only collects information
related to referrals. Referral information is maintained as part of the
individual's electronic health care record in accordance with the rules
applied to those records. The CCRA system is hosted in Amazon Web
Services (AWS) Government Cloud (GovCloud) infrastructure as a service
cloud-computing environment that has been authorized at the high-impact
level under the Federal Risk and Authorization Management Program
(FedRAMP). The secure site-to-site encrypted network connection is
limited to access via the VA trusted internet connection (TIC).
[[Page 64940]]
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
Records are retrieved by name, social security number or other
assigned identifiers of the individuals on whom they are maintained.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
These patient appointment and appointment schedules records shall
be maintained per Record Control Schedule (RCS) 10-1 item; 2201.1.
According to General Records Scehdule (GRS) 5.1 item 010, DAA-GRS-2017-
0003-0001, temporary destroy transitory records, messages coordinating
schedules, appointments, and events when no longer needed for business
use, or according to agency predetermined time or business rule.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
1. CCRA has physical controls and securely stores digital and non-
digital media defined within the latest revision of NIST SP 800-88,
Guidelines for Media Sanitization, and VA 6500, within controlled
areas; and protects information system media until the media is
destroyed or sanitized using approved equipment, techniques, and
procedures.
2. The CCRA system is hosted in Amazon Web Services (AWS)
Government Cloud (GovCloud) infrastructure as a service cloud-computing
environment that has been authorized at the high-impact level under the
Federal Risk and Authorization Management Program (FedRAMP). The secure
site-to-site encrypted network connection is limited to access via the
VA trusted internet connection (TIC).
RECORD ACCESS PROCEDURES:
Individuals seeking information regarding access to and contesting
of records in this system may write, call or visit the VA facility
location where medical care was provided or VHA Office of Community
Care.
CONTESTING RECORD PROCEDURES:
(See Record Access Procedures above.)
NOTIFICATION PROCEDURES:
An individual who wishes to determine whether a record is being
maintained in this system under his or her name or other personal
identifier, or wants to review the contents of such record, should
submit a written request or apply in person to the last VA health care
facility where care was rendered. All inquiries must reasonably
describe the portion of the medical record involved and the place and
approximate date that medical care was provided. Inquiries should
include the patient's full name, social security number, and return
address.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
HISTORY:
None.
[FR Doc. 2018-27334 Filed 12-17-18; 8:45 am]
BILLING CODE P