[Federal Register Volume 86, Number 102 (Friday, May 28, 2021)]
[Notices]
[Pages 28928-28931]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-11316]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA), Veterans Health 
Administration (VHA).

ACTION: Notice of new system of records.

-----------------------------------------------------------------------

SUMMARY: The Privacy Act of 1974 requires that all agencies publish in 
the Federal Register a notice of the existence and character of their 
systems of records. Notice is hereby given that the Department of 
Veterans Affairs (VA) is establishing a new system of records entitled, 
``VA Employee Whole Health Program Records-VA.''.

DATES: Comments on this new system of records must be received no later 
than 30 days after date of publication in the Federal Register. If no 
public comment is received during the period allowed for comment or 
unless otherwise published in the Federal Register by VA, the new 
system of records will become effective a minimum of 30 days after date 
of publication in the Federal Register. If VA receives public comments, 
VA shall review the comments to determine whether any changes to the 
notice are necessary.

ADDRESSES: Comments may be submitted through www.Regulations.gov or 
mailed to VA Privacy Service, 810 Vermont Avenue NW, (005R1A), 
Washington, DC 20420. Comments should indicate that they are submitted 
in response to ``VA Employee Whole Health Program Records-VA'' 
(199VA10). Comments received will be available at regulations.gov for 
public viewing, inspection or copies.

FOR FURTHER INFORMATION CONTACT: Stephania Griffin, Veterans Health 
Administration (VHA) Privacy Officer, Department of Veterans Affairs, 
810 Vermont Avenue NW, Washington, DC 20420; telephone (704) 245-2492 
(Note: not a toll-free number).

SUPPLEMENTARY INFORMATION:

I. Description of Proposed Systems of Records

    The head of each agency of the Government of the United States may 
establish, within the limits of appropriations available, a health 
program to promote and maintain the physical and mental fitness of 
employees under their jurisdiction. VA Employee Whole Health Program 
Records will house records of employees engaging in whole health 
classes, education, coaching, and other approaches in support of their 
individual health and wellbeing. These records will be maintained 
separately from the employee medical file for the privacy of the 
employee as the Employee Whole Health Program records are not for 
documenting fitness for duty, job and/or hazard exposure or medical 
treatment for work-related injuries. The new system of records outlines 
an additional category of records to document and track employees, not 
previously documented, namely records resulting from participation in 
agency-sponsored whole health self-care and wellness activities, 
including health assessments, personal health planning, health 
coaching, preventive services, fitness programs, and any other 
activities that could be considered part of a comprehensive worksite 
whole health and wellness program. The new system of records will allow 
documentation of program participation, will allow workload to be 
captured, and will enable program evaluation to assess effectiveness 
overall and on individual wellbeing.

II. Proposed Routine Use Disclosures of Data in the System

    We are proposing to establish the following routine use disclosures 
of information maintained in the system.
    1. VA may disclose information to a Member of Congress or staff 
acting upon the Member's behalf when the Member or staff requests the 
information on behalf of, and at the request of, the individual who is 
the subject of the record. VA must be able to provide information about 
individuals to adequately respond to inquiries from Members of Congress 
at the request of constituents who have sought their assistance.
    2. VA may disclose information to appropriate agencies, entities, 
and persons when (1) VA suspects or has confirmed that there has been a 
breach of the system of records; (2) VA has determined that as a result 
of the suspected or confirmed breach there is a risk of harm to 
individuals, VA (including its information systems, programs, and 
operations), the Federal Government, or national security; and (3) the 
disclosure made to such agencies, entities, and persons is reasonably 
necessary to assist in connection with VA's efforts to respond to the 
suspected or confirmed breach or to prevent, minimize, or remedy such 
harm.
    3. VA may disclose information to another Federal agency or Federal 
entity, when VA determines that information from this system of records 
is reasonably necessary to assist the recipient agency or entity in (1) 
responding to a suspected or confirmed breach or (2) preventing, 
minimizing, or remedying the risk of harm to individuals, the recipient 
agency or entity (including its information systems, programs, and 
operations), the Federal Government, or national security, resulting 
from a suspected or confirmed breach.
    4. VA may disclose information to the Department of Justice (DoJ), 
or in a proceeding before a court, adjudicative body, or other 
administrative body before which VA is authorized to appear, when: (a) 
VA or any component thereof; (b) Any VA employee in his or her official 
capacity; (c) Any VA employee in his or her official capacity where DoJ 
has agreed to represent the employee; or (d) The United States, where 
VA determines that litigation is likely to affect the agency or any of 
its components, is a party to such proceedings or has an interest in 
such proceedings, and VA determines that use of such records is 
relevant and necessary to the proceedings, provided, however, that in 
each case VA determines the disclosure is compatible with the purpose 
for which the records were collected. If the disclosure is in response 
to a subpoena, summons, investigative demand, or similar legal process, 
the request must meet the requirements for a qualifying law enforcement 
request under the Privacy Act, 5 U.S.C. 552a(b)(7), or an order from a 
court of competent jurisdiction under 552a(b)(11).

[[Page 28929]]

    5. VA may disclose information that, either alone or in conjunction 
with other information, indicates a violation or potential violation of 
law, whether civil, criminal, or regulatory in nature, to a Federal, 
state, local, territorial, tribal, or foreign law enforcement authority 
or other appropriate entity charged with the responsibility of 
investigating or prosecuting such violation or charged with enforcing 
or implementing such law. The disclosure of the names and addresses of 
Veterans and their dependents from VA records under this routine use 
must also comply with the provisions of 38 U.S.C. 5701. If the 
disclosure is in response to a request from a law enforcement entity, 
the request must meet the requirements for a qualifying law enforcement 
request under the Privacy Act, 5 U.S.C. 552a(b)(7).
    6. VA may disclose information to contractors, grantees, experts, 
consultants, students, and others performing or working on a contract, 
service, grant, cooperative agreement, or other assignment for VA, when 
reasonably necessary to accomplish an agency function related to the 
records.
    7. VA may disclose information to the Office of Personnel 
Management (OPM) in connection with the application or effect of civil 
service laws, rules, regulations, or OPM guidelines in particular 
situations.
    8. VA may disclose information to the Equal Employment Opportunity 
Commission (EEOC) in connection with investigations of alleged or 
possible discriminatory practices, examination of Federal affirmative 
employment programs, or other functions of the Commission as authorized 
by law. VA must be able to provide information to EEOC to assist it in 
fulfilling its duties to protect employees' rights, as required by 
statute and regulation.
    9. VA may disclose information to the Federal Labor Relations 
Authority (FLRA) in connection with: The investigation and resolution 
of allegations of unfair labor practices, the resolution of exceptions 
to arbitration awards when a question of material fact is raised; 
matters before the Federal Service Impasses Panel; and the 
investigation of representation petitions and the conduct or 
supervision of representation elections. VA must be able to provide 
information to FLRA to comply with the statutory mandate under which it 
operates.
    10. VA may disclose information to the Merit Systems Protection 
Board (MSPB) and the Office of the Special Counsel in connection with 
appeals, special studies of the civil service and other merit systems, 
review of rules and regulations, investigation of alleged or possible 
prohibited personnel practices, and such other functions promulgated in 
5 U.S.C. 1205 and 1206, or as authorized by law. VA must be able to 
provide information to MSPB and the Office of the Special Counsel to 
assist it in fulfilling its duties as required by statute and 
regulation.
    11. VA may disclose information to NARA in records management 
inspections conducted under 44 U.S.C. 2904 and 2906, or other functions 
authorized by laws and policies governing NARA operations and VA 
records management responsibilities. VA must be able to provide the 
records to NARA in order to determine the proper disposition of such 
records.
    12. VA may disclose health care information to a non-VA health care 
provider, such as the Department of Defense and the Department of 
Health and Human Services, for the purpose of treating any VA patient, 
including Veterans. To better facilitate medical care and treatment for 
patients, VA must be prepared to share health information between VHA 
and other health care organizations.
    13. VA may disclose name(s) and address(es) of present or former 
members of the armed services and/or their dependents under certain 
circumstances: (a) To any nonprofit organization, if the release is 
directly connected with the conduct of programs and the utilization of 
benefits under Title 38, or (b) to any criminal or civil law 
enforcement governmental agency or instrumentality charged under 
applicable law with the protection of the public health or safety, if a 
qualified representative of such organization, agency, or 
instrumentality has made a written request for such name(s) or 
address(es) for a purpose authorized by law, provided that the records 
will not be used for any purpose other than that stated in the request 
and that the organization, agency, or instrumentality is aware of the 
penalty provision of 38 U.S.C. 5701(f).

III. Compatibility of the Proposed Routine Uses

    The Privacy Act permits VA to disclose information about 
individuals without their consent for a routine use when the 
information will be used for a purpose that is compatible with the 
purpose for which VA collected the information. In all of the routine 
use disclosures described above, either the recipient of the 
information will use the information in connection with a matter 
relating to one of VA's programs, to provide a benefit to VA, or to 
disclose information as required by law.
    Under section 264, Subtitle F of Title II of the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA) Public Law 104-191, 
110 Stat. 1936, 2033-34 (1996), the United States Department of Health 
and Human Services (HHS) published a final rule, as amended, 
establishing Standards for Privacy of Individually-Identifiable Health 
Information, 45 CFR parts 160 and 164. VHA may not disclose 
individually identifiable health information (as defined in HIPAA and 
the Privacy Rule, 42 U.S.C. 1320(d)(6) and 45 CFR 164.501) pursuant to 
a routine use unless either: (a) The disclosure is required by law, or 
(b) the disclosure is also permitted or required by HHS' Privacy Rule. 
The disclosures of individually-identifiable health information 
contemplated in the routine uses published in this new system of 
records notice are permitted under the Privacy Rule or required by law. 
However, to also have authority to make such disclosures under the 
Privacy Act, VA must publish these routine uses. Consequently, VA is 
publishing these routine uses to the routine uses portion of the system 
of records notice stating that any disclosure pursuant to the routine 
uses in this system of records notice must be either required by law or 
permitted by the Privacy Rule, before VHA may disclose the covered 
information.
    The notice of intent to publish and an advance copy of the system 
notice have been sent to the appropriate Congressional committees and 
to the Director, OMB, as required by 5 U.S.C. 552a(r) (Privacy Act) and 
guidelines issued by OMB (65 FR 77677), December 12, 2000.

Signing Authority

    The Senior Agency Official for Privacy, or designee, approved this 
document and authorized the undersigned to sign and submit the document 
to the Office of the Federal Register for publication electronically as 
an official document of the Department of Veterans Affairs. Dominic A. 
Cussatt, Acting Assistant Secretary of Information and Technology and 
Chief Information Officer, approved this document on April 20, 2021 for 
publication.


[[Page 28930]]


    Dated: May 25, 2021.
Amy L. Rose,
Program Analyst, VA Privacy Service, Office of Information Security, 
Office of Information and Technology, Department of Veterans Affairs.

SYSTEM NAME AND NUMBER:
    VA Employee Whole Health Program Records-VA (199VA10).

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    These records are located at VA facilities (see Appendix 1) and at 
other Federal, state, or local government or private sector agencies or 
institutions which have agreements with VA to provide designated whole 
health self-care and wellness services to VA employees.

SYSTEM MANAGER(S):
    Executive Director, Office of Patient Centered Care and Cultural 
Transformation, VA Central Office, 810 Vermont Avenue NW, Washington, 
DC 20420. Telephone number 773-820-2387 (this is not a toll-free 
number).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    5 U.S.C. 7901.

PURPOSE(S) OF THE SYSTEM:
    The records will be used for the purpose of evaluating the 
effectiveness of whole health self-care and wellness programs for 
employees. The records are used for documentation of program 
participation, will allow workload to be captured, and will enable 
program evaluation to assess effectiveness overall and on individual 
wellbeing.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    These records may include information on current or former VA 
employees, contractors, and volunteers, who have participated in 
designated whole health self-care and wellness activities.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Records resulting from participation in agency-sponsored whole 
health self-care and wellness activities, including demographics (name, 
date of birth, race/ethnicity, and gender), health assessments 
(lifestyle behaviors--exercise, eating habits, tobacco use; emotional 
health--mood, stress, life events; and physical health--weight, blood 
pressure, cholesterol levels), personal health planning, health 
coaching, preventive services, fitness programs, and any other 
activities that could be considered part of a comprehensive worksite 
self-care and wellness program.

RECORD SOURCE CATEGORIES:
    Information in this system of records is provided from the 
individual to whom the records pertain, agency whole health or employee 
whole health staff, and other providers of self-care and wellness 
activities designated to provide services to VA employees.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    To the extent that records contained in the system include 
information protected by 45 CFR parts 160 and 164, i.e., individually 
identifiable health information of VHA or any of its business 
associates, and 38 U.S.C. 7332, i.e., medical treatment information 
related to drug abuse, alcoholism or alcohol abuse, sickle cell anemia, 
or infection with the human immunodeficiency virus, that information 
cannot be disclosed under a routine use unless there is also specific 
disclosure authority in both 38 U.S.C. 7332 and 45 CFR parts 160 and 
164.
    1. VA may disclose information to a Member of Congress or staff 
acting upon the Member's behalf when the Member or staff requests the 
information on behalf of, and at the request of, the individual who is 
the subject of the record.
    2. VA may disclose information to appropriate agencies, entities, 
and persons when (1) VA suspects or has confirmed that there has been a 
breach of the system of records, (2) VA has determined that as a result 
of the suspected or confirmed breach there is a risk of harm to 
individuals, VA (including its information systems, programs, and 
operations), the Federal Government, or national security; and (3) the 
disclosure made to such agencies, entities, and persons is reasonably 
necessary to assist in connection with VA's efforts to respond to the 
suspected or confirmed breach or to prevent, minimize, or remedy such 
harm.
    3. VA may disclose information to another Federal agency or Federal 
entity, when VA determines that information from this system of records 
is reasonably necessary to assist the recipient agency or entity in (1) 
responding to a suspected or confirmed breach or (2) preventing, 
minimizing, or remedying the risk of harm to individuals, the recipient 
agency or entity (including its information systems, programs, and 
operations), the Federal Government, or national security, resulting 
from a suspected or confirmed breach.
    4. VA may disclose information to the Department of Justice (DoJ), 
or in a proceeding before a court, adjudicative body, or other 
administrative body before which VA is authorized to appear, when: (a) 
VA or any component thereof; (b) Any VA employee in his or her official 
capacity; (c) Any VA employee in his or her official capacity where DoJ 
has agreed to represent the employee; or (d)The United States, where VA 
determines that litigation is likely to affect the agency or any of its 
components, is a party to such proceedings or has an interest in such 
proceedings, and VA determines that use of such records is relevant and 
necessary to the proceedings, provided, however, that in each case VA 
determines the disclosure is compatible with the purpose for which the 
records were collected. If the disclosure is in response to a subpoena, 
summons, investigative demand, or similar legal process, the request 
must meet the requirements for a qualifying law enforcement request 
under the Privacy Act, 5 U.S.C. 552a(b)(7), or an order from a court of 
competent jurisdiction under 552a(b)(11).
    5. VA may disclose information that, either alone or in conjunction 
with other information, indicates a violation or potential violation of 
law, whether civil, criminal, or regulatory in nature, to a Federal, 
state, local, territorial, tribal, or foreign law enforcement authority 
or other appropriate entity charged with the responsibility of 
investigating or prosecuting such violation or charged with enforcing 
or implementing such law. The disclosure of the names and addresses of 
Veterans and their dependents from VA records under this routine use 
must also comply with the provisions of 38 U.S.C. 5701. If the 
disclosure is in response to a request from a law enforcement entity, 
the request must meet the requirements for a qualifying law enforcement 
request under the Privacy Act, 5 U.S.C. 552a(b)(7).
    6. VA may disclose information to contractors, grantees, experts, 
consultants, students, and others performing or working on a contract, 
service, grant, cooperative agreement, or other assignment for VA, when 
reasonably necessary to accomplish an agency function related to the 
records.
    7. VA may disclose information to the Office of Personnel 
Management (OPM) in connection with the application or effect of civil 
service laws, rules, regulations, or OPM guidelines in particular 
situations.

[[Page 28931]]

    8. VA may disclose information to the Equal Employment Opportunity 
Commission (EEOC) in connection with investigations of alleged or 
possible discriminatory practices, examination of Federal affirmative 
employment programs, or other functions of the Commission as authorized 
by law.
    9. VA may disclose information to the Federal Labor Relations 
Authority (FLRA) in connection with: The investigation and resolution 
of allegations of unfair labor practices, the resolution of exceptions 
to arbitration awards when a question of material fact is raised; 
matters before the Federal Service Impasses Panel; and the 
investigation of representation petitions and the conduct or 
supervision of representation elections.
    10. VA may disclose information to the Merit Systems Protection 
Board (MSPB) and the Office of the Special Counsel in connection with 
appeals, special studies of the civil service and other merit systems, 
review of rules and regulations, investigation of alleged or possible 
prohibited personnel practices, and such other functions promulgated in 
5 U.S.C. 1205 and 1206, or as authorized by law.
    11. VA may disclose information to NARA in records management 
inspections conducted under 44 U.S.C. 2904 and 2906, or other functions 
authorized by laws and policies governing NARA operations and VA 
records management responsibilities.
    12. VA may disclose health care information to a non-VA health care 
provider, such as the Department of Defense and the Department of 
Health and Human Services, for the purpose of treating any VA patient, 
including Veterans.
    13. VA may disclose name(s) and address(es) of present or former 
members of the armed services and/or their dependents under certain 
circumstances: (a) To any nonprofit organization, if the release is 
directly connected with the conduct of programs and the utilization of 
benefits under Title 38, or (b) to any criminal or civil law 
enforcement governmental agency or instrumentality charged under 
applicable law with the protection of the public health or safety, if a 
qualified representative of such organization, agency, or 
instrumentality has made a written request for such name(s) or 
address(es) for a purpose authorized by law, provided that the records 
will not be used for any purpose other than that stated in the request 
and that the organization, agency, or instrumentality is aware of the 
penalty provision of 38 U.S.C. 5701(f).

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    These records are maintained on paper documents in file folders and 
in electronic records systems at VA facilities and at other Federal, 
state, or local government or private sector agencies or institutions 
which have agreements with VA to provide designated whole health self-
care and wellness services to VA employees.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are retrieved by the employee's name, date of birth, Social 
Security number, or any combination of those identifiers. Records may 
also be retrieved by other unique identifiers such as type of whole 
health self-care and wellness service.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records will be retained and destroyed in accordance with the VA 
Records Control Schedule, RCS 10-1, 3015.8. When permitted by VA 
policy, the destruction of records will take place in the following 
manner: Temporary, destroy 3 years after the project/activity/or 
transaction is completed or superseded, but longer retention is 
authorized if needed for business use (DAA-GRS-2017-0010-0013, item 
080).

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Paper records are stored in locked file cabinets or locked rooms. 
Generally, file areas are locked after normal duty hours. Automated 
records are protected by restricted access procedures and audit trails. 
Access to records is strictly limited to VA or contractor officials 
with a bona fide need for access to the records. Strict control 
measures are enforced to ensure that access to and disclosure from 
these records are limited to a ``need-to-know basis.'' Access to 
computer rooms within the health care facilities is generally limited 
by appropriate locking devices and restricted to authorized VA 
employees and vendor personnel. Automated data processing peripheral 
devices are generally placed in secure areas (areas that are locked or 
have limited access) or are otherwise protected. Information in the 
electronic records system may be accessed by authorized VA employees. 
Access to file information is controlled at two levels; the system 
recognizes authorized employees by a series of individually unique 
passwords/codes as a part of each data message, and the employees are 
limited to only that information in the file which is needed in the 
performance of their official duties.

RECORD ACCESS PROCEDURES:
    Individuals requesting access to and contesting the contents of 
records must submit the following information for their records to be 
located and identified: (1) Full name, (2) date of birth, (3) Social 
Security number, (4) name and location of VA facility where last 
employed and dates of employment, and (5) signature. Individuals will 
submit the request to either the Employee Whole Health Coordinator or 
the Whole Health Program Manager at a VA facility, dependent upon 
staffing at the local facility.

CONTESTING RECORD PROCEDURES:
    (See Record Access Procedures above).

NOTIFICATION PROCEDURES:
    Individuals wishing to inquire whether this system of records 
contains records on them should follow the appropriate procedure listed 
below:
    a. Current employees. Current employees should contact either the 
Employee Whole Health Coordinator or the Whole Health Program Manager 
at a VA facility, dependent upon staffing at the local facility at 
which they are employed. Individuals must furnish such identifying 
information as required by VA for their records to be located and 
identified.
    b. Former employees. Former employees should contact either the 
Employee Whole Health Coordinator or the Whole Health Program Manager 
at a VA facility, dependent upon staffing at the local facility at 
which they were employed. Individuals submitting requests must submit 
the following information for their records to be located and 
identified: (1) Full name, (2) date of birth, (3) Social Security 
number, (4) name and location of VA facility where last employed and 
dates of employment, and (5) signature.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    None.

[FR Doc. 2021-11316 Filed 5-27-21; 8:45 am]
BILLING CODE 8320-01-P