[Federal Register Volume 86, Number 156 (Tuesday, August 17, 2021)]
[Notices]
[Pages 46097-46099]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-17527]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Veterans Health Administration, Department of Veterans Affairs 
(VA).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: Community Care Referrals and Authorization (CCRA) is an 
enterprise-wide system used by facility community care staff to 
generate referrals and authorizations for Veterans receiving care in 
the community. VA community care staff and non-VA staff use this 
solution to enhance Veteran access to care. CCRA is an integral 
component of the community care information technology architecture 
that allows Veterans to receive care from community providers. CCRA 
also allows Veterans and non-VA medical facilities to request VA 
authorization of emergent and urgent Veteran care.

DATES: Comments on this modified system of records must be received no 
later than 30 days after date of publication in the Federal Register. 
If no public comment is received during the period allowed for comment 
or unless otherwise published in the Federal Register by VA, the 
modified system of records will become effective a minimum of 30 days 
after date of publication in the Federal Register. If VA receives 
public comments, VA shall review the comments to determine whether any 
changes to the notice are necessary.

ADDRESSES: Comments may be submitted through www.Regulations.gov or 
mailed to VA Privacy Service, 810 Vermont Avenue NW, (005R1A), 
Washington, DC 20420. Comments should indicate that they are submitted 
in response to HealthShare Referral Manager (HSRM)-VA (180VA10D). 
Comments received will be available at regulations.gov for public 
viewing, inspection or copies.

FOR FURTHER INFORMATION CONTACT: Robert Hassinger, Product Manager, 
Community Care Referrals and Authorization (CCRA) System, Office of 
Information and Technology Field Office, 55 Elk Street--3rd Floor, 
Albany, NY 12210. Telephone number: (518) 449-0600. (This is not a 
toll-free number.)

SUPPLEMENTARY INFORMATION: CCRA is an enterprise-wide solution in 
support of the Veterans Access, Choice, and Accountability Act of 2014 
(Pub. L. 113-146) (``Choice Act''), as amended by the VA Expiring 
Authorities Act of 2014 (Pub. L. 113-175), to generate referrals and 
authorizations for Veterans receiving care in the community. VA 
clinical providers and Non-VA clinical providers will access a cloud-
based software system to request and refer clinical care for Veterans 
with Community Care providers. This solution will enhance Veteran 
access to care by utilizing a common and modern system to orchestrate 
the complex business of VA referral management.
    The CCRA solution is an integral component of the VA Community Care 
(CC) Information Technology (IT) architecture, and will track and share 
health care information and correspondence necessary for Veterans to be 
seen for appropriate and approved episodes of CC. Additionally, CCRA 
allows Veterans and non-VA-medical facilities to request VA 
authorization of emergent and urgent Veteran care. The CCRA solution 
will allow the VA to move to a process that generates standardized 
referrals and authorizations, according to clinical and business rules.
    The CCRA project provides HealthShare Referral manager by 
InterSystems as the CCRA solution. HealthShare Referral Manager is a 
commercial off-the-shelf software product that is hosted in an Amazon 
Web Services (AWS) FedRAMP High Gov cloud and is planned for enterprise 
integration with VA systems, both inside and outside of CC.
    Two additional Routine Uses are listed in this Modified SORN and 
are detailed in a later section. These Routine Uses directly relate to 
the referral process utilized by the CCRA solution.

Signing Authority

    The Senior Agency Official for Privacy, or designee, approved this 
document and authorized the undersigned to sign and submit the document 
to the Office of the Federal Register for publication electronically as 
an official document of the Department of Veterans Affairs. Dominic A. 
Cussatt, Acting Assistant Secretary of Information and Technology and 
Chief Information Officer, approved this document on July 2, 2021 for 
publication.

    Dated: August 11, 2021.
Amy L. Rose,
Program Analyst, VA Privacy Service, Office of Information Security, 
Office of Information and Technology, Department of Veterans Affairs.

SYSTEM NAME AND NUMBER:
    HealthShare Referral Manager (HSRM)-VA (180VA10D)

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Amazon Web Services, LLC, 12900 Worldgate Dr, Herndon, VA 20170. 
Community Care Referrals and Authorization (CCRA) System Product 
Manager, Office of Information and Technology Field Office, 55 Elk 
Street--3rd Floor, Albany, NY 12210.

SYSTEM MANAGER(S):
    Official responsible for policies and procedures: Program Manager--
Project & Portfolio Services (PPS), Business Operations & 
Administration (BOA) 13BOA8, VHA Office of Community Care, U.S. 
Department of Veterans Affairs. Telephone number: (720) 234-5234 or 
(720) 560-1452. (These are not toll-free numbers.).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 38 United States Code 7301(a); Title 38 United States Code 
1703--Veterans Community Care Program; Veterans Access, Choice, and 
Accountability Act of 2014 (Pub. L. 113-146).

PURPOSE(S) OF THE SYSTEM:
    CCRA is an enterprise-wide system used by community care staff to 
automatically generate referrals and authorizations for all Veterans 
receiving care in the community. The system is an integral component of 
the VA community care information technology (IT) architecture, and 
allows Veterans to receive care from community providers within the 
Community Care Network through the Veterans Choice Program. The CCRA 
system allows these providers to view relevant patient and clinical 
information from Veterans Information Systems and Technology 
Architecture (VistA). The exchange of health care information and 
authorizations enhances VA's ability to ensure that Veterans receive 
the best health care available to address their medical needs. The CCRA 
system also enabled the VA to move from what is currently a largely 
manual process to an automated process that generates standardized 
referrals and authorizations according to clinical and business rules. 
The automated process

[[Page 46098]]

decreases the administrative burden on VA clinical and community care 
staff members by way of establishing clinical and business pathways 
that which reflect best processes, consistent outcomes, and reduced 
turnaround times.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The records include information concerning:
    1. Veterans who have applied for health care services under Title 
38, United States Code, Chapter 17, and in certain cases members of 
their immediate families.
    2. Individuals examined or treated under contract or resource 
sharing agreements.
    3. Individuals who were provided medical care under emergency 
conditions for humanitarian reasons.
    4. Health care professionals providing examination or treatment to 
any individuals within VA health care facilities.
    5. Healthcare professionals providing examination or treatment to 
individuals under contract or resource sharing agreements or CC 
programs, such as Choice.
    6. Patients and members of their immediate family, volunteers, 
maintenance personnel, as well as individuals working collaboratively 
with VA.
    7. Contractors, sub-contractors, contract personnel, students, 
providers and consultants.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records may include information and health information related 
to:
    1. Identifying information (e.g., name, birth date, death date, 
admission date, discharge date, gender, social security number, 
taxpayer identification number); address information (e.g., home and/or 
mailing address, home telephone number, emergency contact information 
such as name, address, telephone number, and relationship); prosthetic 
and sensory aid serial numbers; medical record numbers; integration 
control numbers; information related to medical examination or 
treatment (e.g., location of VA medical facility providing examination 
or treatment, treatment dates, medical conditions treated or noted on 
examination); information related to military service and status.
    2. Computer access authorizations, computer applications available 
and used, information access attempts, frequency and time of use; 
identification of the person responsible for, currently assigned, or 
otherwise engaged in various categories of patient care or support of 
health care delivery.
    3. Application, eligibility, and claim information regarding 
payment determination for medical services provided to VA beneficiaries 
by non-VA health care institutions and providers.
    4. Health care provider's name, address, and taxpayer 
identification number, correspondence concerning individuals and 
documents pertaining to claims for medical services, reasons for denial 
of payment, and appellate determinations.

RECORD SOURCE CATEGORIES:
    The Veteran or other VA beneficiary, family members or accredited 
representatives, and other third parties; private medical facilities 
and healthcare professionals; health insurance carriers; other Federal 
agencies; employees; contractors; VHA facilities and automated systems 
providing clinical and managerial support at VA health care facilities.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    1. Congress
    VA may disclose information to a Member of Congress or staff acting 
upon the Member's behalf when the Member or staff requests the 
information on behalf of, and at the request of, the individual who is 
the subject of the record.
    2. Data Breach Response and Remediation, for VA
    VA may disclose information to appropriate agencies, entities, and 
persons when (1) VA suspects or has confirmed that there has been a 
breach of the system of records, (2) VA has determined that as a result 
of the suspected or confirmed breach there is a risk of harm to 
individuals, VA (including its information systems, programs, and 
operations), the Federal Government, or national security; and (3) the 
disclosure made to such agencies, entities, and persons is reasonably 
necessary to assist in connection with VA's efforts to respond to the 
suspected or confirmed breach or to prevent, minimize, or remedy such 
harm.
    3. Data Breach Response and Remediation, for Another Federal Agency
    VA may disclose information to another Federal agency or Federal 
entity, when VA determines that the information is reasonably necessary 
to assist the recipient agency or entity in (1) responding to a 
suspected or confirmed breach or (2) preventing, minimizing, or 
remedying the risk of harm to individuals, the recipient agency or 
entity (including its information systems, programs, and operations), 
the Federal Government, or national security, resulting from a 
suspected or confirmed breach.
    4. Law Enforcement
    VA may disclose information that, either alone or in conjunction 
with other information, indicates a violation or potential violation of 
law, whether civil, criminal, or regulatory in nature, to a Federal, 
state, local, territorial, tribal, or foreign law enforcement authority 
or other appropriate entity charged with the responsibility of 
investigating or prosecuting such violation or charged with enforcing 
or implementing such law. The disclosure of the names and addresses of 
veterans and their dependents from VA records under this routine use 
must also comply with the provisions of 38 U.S.C. 5701.
    5. DoJ for Litigation or Administrative Proceeding
    VA may disclose information to the Department of Justice (DoJ), or 
in a proceeding before a court, adjudicative body, or other 
administrative body before which VA is authorized to appear, when:
    (a) VA or any component thereof;
    (b) Any VA employee in his or her official capacity;
    (c) Any VA employee in his or her official capacity where DoJ has 
agreed to represent the employee; or
    (d) The United States, where VA determines that litigation is 
likely to affect the agency or any of its components, is a party to 
such proceedings or has an interest in such proceedings, and VA 
determines that use of such records is relevant and necessary to the 
proceedings.
    6. Contractors
    VA may disclose information to contractors, grantees, experts, 
consultants, students, and others performing or working on a contract, 
service, grant, cooperative agreement, or other assignment for VA, when 
reasonably necessary to accomplish an agency function related to the 
records.
    7. OPM
    VA may disclose information to the Office of Personnel Management 
(OPM) in connection with the application or effect of civil service 
laws, rules, regulations, or OPM guidelines in particular situations.
    8. EEOC
    VA may disclose information to the Equal Employment Opportunity 
Commission (EEOC) in connection with investigations of alleged or 
possible discriminatory practices, examination of Federal affirmative 
employment

[[Page 46099]]

programs, or other functions of the Commission as authorized by law.
    9. FLRA
    VA may disclose information to the Federal Labor Relations 
Authority (FLRA) in connection with: the investigation and resolution 
of allegations of unfair labor practices, the resolution of exceptions 
to arbitration awards when a question of material fact is raised; 
matters before the Federal Service Impasses Panel; and the 
investigation of representation petitions and the conduct or 
supervision of representation elections.
    10. MSPB
    VA may disclose information to the Merit Systems Protection Board 
(MSPB) and the Office of the Special Counsel in connection with 
appeals, special studies of the civil service and other merit systems, 
review of rules and regulations, investigation of alleged or possible 
prohibited personnel practices, and such other functions promulgated in 
5 U.S.C. 1205 and 1206, or as authorized by law.
    11. NARA
    VA may disclose information to NARA in records management 
inspections conducted under 44 U.S.C. 2904 and 2906, or other functions 
authorized by laws and policies governing NARA operations and VA 
records management responsibilities.
    12. Health Care Providers, for Referral by VA
    VA may disclose information to: (1) A federal agency or health care 
provider when VA refers a patient for medical and other health 
services, or authorizes a patient to obtain such services and the 
information is needed by the federal agency or health care provider to 
perform the services; or (2) a federal agency or to health care 
provider under the provisions of 38 U.S.C. 513, 7409, 8111, or 8153, 
when treatment is rendered by VA under the terms of such contract or 
agreement or the issuance of an authorization, and the information is 
needed for purposes of medical treatment or follow-up, determination of 
eligibility for benefits, or recovery by VA of the costs of the 
treatment.
    13. Health Care Provider, for Referral to VA
    VA may disclose information to a non-VA health care provider when 
that health care provider has referred the individual to VA for medical 
or other health services.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    CCRA relies on information in VistA, and only collects information 
related to referrals. Referral information is maintained as part of the 
individual's electronic health care record in accordance with the rules 
applied to those records. The CCRA system is hosted in Amazon Web 
Services (AWS) Government Cloud (GovCloud) infrastructure as a service 
cloud computing environment that has been authorized at the high-impact 
level under the Federal Risk and Authorization Management Program 
(FedRAMP). The secure site-to-site encrypted network connection is 
limited to access via the VA trusted internet connection (TIC).

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are retrieved by name, social security number or other 
assigned identifiers of the individuals on whom they are maintained.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    These patient appointment and appointment schedules records shall 
be maintained per Record Control Schedule (RCS) 10-1 item; 2201.1. 
According to General Records Schedule (GRS) 5.1 item 010, DAA-GRS-2017-
0003-0001, temporary destroy transitory records, messages coordinating 
schedules, appointments, and events when no longer needed for business 
use, or according to agency predetermined time or business rule.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    1. CCRA has physical controls and securely stores digital and non-
digital media defined within the latest revision of NIST SP 800-88, 
Guidelines for Media Sanitization, and VA 6500, within controlled 
areas; and protects information system media until the media is 
destroyed or sanitized using approved equipment, techniques, and 
procedures.
    2. The CCRA system is hosted in Amazon Web Services (AWS) 
Government Cloud (GovCloud) infrastructure as a service cloud computing 
environment that has been authorized at the high-impact level under the 
Federal Risk and Authorization Management Program (FedRAMP). The secure 
site-to-site encrypted network connection is limited to access via the 
VA trusted internet connection (TIC).

RECORD ACCESS PROCEDURES:
    Individuals seeking information regarding access to and contesting 
of records in this system may write, call or visit the VA facility 
location where medical care was provided or VHA Office of Community 
Care.

CONTESTING RECORD PROCEDURES:
    (See Record Access Procedures above.)

NOTIFICATION PROCEDURES:
    An individual who wishes to determine whether a record is being 
maintained in this system under his or her name or other personal 
identifier, or wants to review the contents of such record, should 
submit a written request or apply in person to the last VA health care 
facility where care was rendered. All inquiries must reasonably 
describe the portion of the medical record involved and the place and 
approximate date that medical care was provided. Inquiries should 
include the patient's full name, social security number, and return 
address.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    Federal Register 83 FR 64935/Vol. 83, No. 242/Tuesday, December 18, 
2018.

[FR Doc. 2021-17527 Filed 8-16-21; 8:45 am]
BILLING CODE P