[Federal Register Volume 86, Number 227 (Tuesday, November 30, 2021)]
[Notices]
[Pages 68043-68048]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-26026]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA), Veterans Health 
Administration (VHA).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: As required by the Privacy Act of 1974, notice is hereby given 
that the Department of Veterans Affairs (VA) is modifying the system of 
records entitled ``Ethics Consultation Web-based Database (ECWeb)-VA'' 
(152VA10P6). VA is modifying the system by revising the System Name; 
System Number; System Location; Purpose of the System; Categories of 
Records in the System; Record Source Categories; Routine Uses of 
Records Maintained in the System; Policies and Practices for Storage of 
Records; Policies and Practices for Retention and Disposal of Records; 
and Physical, Procedural, and Administrative Safeguards. VA is 
republishing the system notice in its entirety.

DATES: Comments on this modified system of records must be received no 
later than 30 days after date of publication in the Federal Register. 
If no public comment is received during the period allowed for comment 
or unless otherwise published in the Federal Register by VA, the 
modified system of records will become effective a minimum of 30 days 
after date of publication in the Federal Register. If VA receives 
public comments, VA shall review the comments to determine whether any 
changes to the notice are necessary.

ADDRESSES: Comments may be submitted through www.Regulations.gov or 
mailed to VA Privacy Service, 810 Vermont Avenue NW, (005R1A), 
Washington, DC 20420. Comments should indicate that they are submitted 
in response to ``Ethics Consultation Web-based Database (ECWeb)-VA 
(152VA10P6)''. Comments received will be available at regulations.gov 
for public viewing, inspection or copies.

FOR FURTHER INFORMATION CONTACT: Stephania Griffin, Veterans Health 
Administration (VHA) Privacy Officer, Department of Veterans Affairs, 
810

[[Page 68044]]

Vermont Avenue NW, Washington, DC 20420; telephone (704) 245-2492 
(Note: This is not a toll-free number).

SUPPLEMENTARY INFORMATION: The System Name will be changed from 
``Ethics Consultation Web-based Database (ECWeb)-VA'' to 
``IntegratedEthics Web Database (IEWeb)-VA''. The System Number will be 
changed from 152VA10P6 to 152VA10 to reflect the current VHA 
organizational routing symbol.
    The System Location is being updated to remove automated records 
within ECWeb maintained on a VA server administered by VA, 810 Vermont 
Avenue NW, Washington, DC. This section will include IntegratedEthics 
Web Database (IEWeb) may be maintained on Salesforce Development 
Platform (SFDP) VA and is hosted in a Federal Risk Authorization 
Management Program (FedRAMP) certified cloud, as administered by 
Salesforce at 44521 Hastings Dr., Building 90, Ashburn, VA 20147.
    The Purpose is being modified to include ethics quality improvement 
and documenting ethics activities that do not relate to ethics 
consultation or ethics quality improvement but are important for the 
ethical culture and environment of VHA.
    The Categories of Records in the System is being modified to 
include: 2. Preventive Ethics (PE) records document work done to 
address recurring ethical concerns by applying quality improvement 
methods to identify and address ethics gaps on a systems level 
including intake forms and project record forms. PE records may include 
the name and contact information of VA employees as well as information 
about ethical standards, best ethics practices, current state, ethics 
quality gap, improvement goals, domains and topics, impact on patients 
and/or staff, prioritization, results, volume or scope of effect. 3. 
Ethics Activity Log (EAL) records document education, training, 
clinical and administrative rounding, referrals and other ethics 
activities that do not relate to ethics consultation or preventive 
ethics activities. EAL records may include the name and contact 
information of VA employees as well as information such as a 
description of the ethics activity, domain, topic, time spent.
    The Record Source Categories is being modified to include ``Patient 
Medical Records-VA'' (24VA10A7), ``Veterans Health Information System 
and Technology Architecture (VistA) Records-VA'' (79VA10), and 
electronic health record systems.
    The Routine Uses of Records Maintained in the System will delete 
routine use #20, which was a duplicate of Routine Use #2. The following 
Routine Uses will be deleted:
    8. Relevant health care information may be disclosed to a non-VA 
nursing home facility that is considering the patient for admission, 
when information concerning the individual's medical care is needed for 
the purpose of preadmission screening under 42 CFR 483.20(f), for the 
purpose of identifying patients who are mentally ill or mentally 
retarded, so they can be evaluated for appropriate placement.
    9. Relevant health care information may be disclosed to a State 
Veterans Home for the purpose of medical treatment and/or follow-up at 
the State Home when VA makes payment of a per diem rate to the State 
Home for the patient receiving care at such home, and the patient 
receives VA medical care.
    10. Relevant health care information may be disclosed to (a) A 
Federal agency or non-VA health care provider or institution when VA 
refers a patient for hospital or nursing home care or medical services, 
or authorizes a patient to obtain non-VA medical services and the 
information is needed by the Federal agency or non-VA institution or 
provider to perform the services; or (b) a Federal agency or a non-VA 
hospital (Federal, state and local, public or private) or other medical 
installation having hospital facilities, blood banks, or similar 
institutions, medical schools or clinics, or other groups or 
individuals that have contracted or agreed to provide medical services, 
or share the use of medical resources under the provisions of 38 U.S.C. 
513, 7409, 8111, or 8153, when treatment is rendered by VA under the 
terms of such contract or agreement or the issuance of an 
authorization, and the information is needed for purposes of medical 
treatment and/or follow-up, determining entitlement to a benefit or, 
for VA to effect recovery of the costs of the medical care.
    The following Routine Uses will be added:
    8. VA may disclose information from this system to another Federal 
agency or Federal entity, when VA determines that information from this 
system of records is reasonably necessary to assist the recipient 
agency or entity in (1) responding to a suspected or confirmed breach 
or (2) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    9. VA may disclose information to: (1) A Federal agency or health 
care provider when VA refers a patient for medical and other health 
services, or authorizes a patient to obtain such services and the 
information is needed by the Federal agency or health care provider to 
perform the services; or (2) a Federal agency or to health care 
provider under the provisions of 38 U.S.C. 513, 7409, 8111, or 8153, 
when treatment is rendered by VA under the terms of such contract or 
agreement or the issuance of an authorization, and the information is 
needed for purposes of medical treatment or follow-up, determination of 
eligibility for benefits, or recovery by VA of the costs of the 
treatment.
    10. VA may disclose information to the National Practitioner Data 
Bank at the time of hiring or clinical privileging/re-privileging of 
health care practitioners, and other times as deemed necessary by VA, 
in order for VA to obtain information relevant to a Department decision 
concerning the hiring, privileging/re-privileging, retention, or 
termination of the applicant or employee.
    The following Routine Uses will be modified.
    15. VA may disclose information to the DoJ or in a proceeding 
before a court, adjudicative body, or other administrative body before 
which VA is authorized to appear, when:

    (a) VA or any component thereof;
    (b) Any VA employee in his or her official capacity;
    (c) Any VA employee in his or her official capacity where DoJ 
has agreed to represent the employee; or
    (d) The United States, where VA determines that litigation is 
likely to affect the agency or any of its components,

is a party to such proceedings or has an interest in such proceedings, 
and VA determines that use of such records is relevant and necessary to 
the proceedings.
    16. VA may disclose information that, either alone or in 
conjunction with other information, indicates a violation or potential 
violation of law, whether civil, criminal, or regulatory in nature, to 
a Federal, state, local, territorial, tribal, or foreign law 
enforcement authority or other appropriate entity charged with the 
responsibility of investigating or prosecuting such violation or 
charged with enforcing or implementing such law. The disclosure of the 
names and addresses of Veterans and their dependents from VA records 
under this routine use must also comply with the provisions of 38 
U.S.C. 5701.

[[Page 68045]]

    Policies and Practices for Storage of Records is being modified to 
remove copies of back up computer filed being maintained at an off-site 
location. This section will include that records are maintained on the 
VA Salesforce Government Cloud (i.e., Federal Risk Authorization 
Management Program (FedRAMP) certified cloud).
    Policies and Practices for Retention and Disposal of Records is 
being modified to replace Record Control Schedule (RCS) 10-1 Item 
#XLIII-2, with RCS 10-1 item 6000.2. Also, General Records Schedule 
(GRS) 25 Items 1.a and 1.b (N1-GRS-01-1 item 1a & 1b) will be replaced 
with, GRS 2.8 Item 010.
    Physical, Procedural, and Administrative Safeguards (Access) is 
being modified to remove: 1. Access to VA working and storage areas is 
restricted to VA employees on a ``need-to-know'' basis; strict control 
measures are enforced to ensure that disclosure to these individuals is 
also based on this same principle. Generally, VA file areas are locked 
after normal duty hours and the facilities are protected from outside 
access by the Federal Protective Service or other security personnel. 
2. Access to computer rooms at health care facilities is generally 
limited by appropriate locking devices and restricted to authorized VA 
employees and vendor personnel. Automated Data Processing (ADP) 
peripheral devices are placed in secure areas (areas that are locked or 
have limited access) or are otherwise protected. Information in ECWeb 
may be accessed by authorized VA employees. Access to file information 
is controlled at two levels; the systems recognize authorized employees 
by series of individually unique passwords/codes as a part of each data 
message, and the employees are limited to only that information in the 
file, which is needed in the performance of their official duties. 
Information that is downloaded from ECWeb and maintained on personal 
computers is afforded similar storage and access protections as the 
data that is maintained in the original files. Access to information 
stored on automated storage media at other VA locations is controlled 
by individually unique passwords/codes. 3. Access to computer rooms is 
restricted to authorized operational personnel through electronic 
locking devices. All other persons gaining access to computer rooms are 
escorted. Information stored in the computer may be accessed by 
authorized VA employees at remote locations including VA health care 
facilities, Information Systems Centers, VA Central Office, and Veteran 
Integrated Service Networks. Access is controlled by individually 
unique passwords/codes, which must be changed periodically by the 
employee. This section will now state, Salesforce Government Cloud is 
maintaining underlying physical infrastructure. Additional 
Interconnection Security Agreement (ISA) and Memorandum of 
Understanding (MOU) are required between the VA and VA designated 
contractors/vendors that own the data that is stored or processed 
within Salesforce Development Platform VA. The vendor-specific 
agreements will describe the data ownership and storage requirements. 
The parties agree that transmission, storage and management of VA 
sensitive information residing in the Salesforce Development Platform 
VA is the sole responsibility of VA employees or designated 
contractors/vendors assigned to manage the system. At no time will 
Salesforce Government Cloud have any access to VA data residing within 
the Salesforce Development Platform VA. Thus, all agreements on data 
and system responsibilities shall not be covered in this base agreement 
(i.e., MOU). However, Salesforce Government Cloud shall provide the 
tools to allow VA to properly secure all systems and data hosted in the 
Salesforce Development Platform VA.
    The Report of Intent to Modify a System of Records Notice and an 
advance copy of the system notice have been sent to the appropriate 
Congressional committees and to the Director of the Office of 
Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy 
Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

Signing Authority

    The Senior Agency Official for Privacy, or designee, approved this 
document and authorized the undersigned to sign and submit the document 
to the Office of the Federal Register for publication electronically as 
an official document of the Department of Veterans Affairs. Neil C. 
Evans, M.D., Chief Officer, Connected Care, Performing the Delegable 
Duties of the Assistant Secretary for Information and Technology and 
Chief Information Officer, approved this document on October 19, 2021 
for publication.

    Dated: November 24, 2021.
Amy L. Rose,
Program Analyst, VA Privacy Service, Office of Information Security, 
Office of Information and Technology, Department of Veterans Affairs.

SYSTEM NAME AND NUMBER:
    Integrated Ethics Web Database (IEWeb)--VA (152VA10).

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Automated records within the IntegratedEthics Web Database (IEWeb) 
may be maintained on Salesforce Development Platform (SFDP) VA and is 
hosted in a Federal Risk Authorization Management Program (FedRAMP) 
certified cloud, as administered by Salesforce at 44521 Hastings Dr., 
Building 90, Ashburn, VA 20147.

SYSTEM MANAGER(S):
    Official responsible for policies and procedures: Toby Schonfeld, 
Ph.D., Executive Director, National Center for Ethics in Health Care, 
Veterans Health Administration, Department of Veterans Affairs, 810 
Vermont Avenue NW, Washington, DC 20420. Telephone (202) 461-1750 
(Note: This is not a toll-free number).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 38, U.S.C., 501(b), 304, 7301, and 7304(a).

PURPOSE(S) OF THE SYSTEM:
    The records may be used for such purposes as: Education about 
ethics consultation; ongoing treatment of the patient; documentation of 
treatment provided; payment; healthcare operations such as producing 
various management and patient follow-up reports; responding to patient 
and other inquiries; for ethics quality improvement; for documenting 
ethics activities that do not relate to ethics consultation or ethics 
quality improvement but are important for the ethical culture and 
environment of VHA; for epidemiological research and other healthcare 
related studies; statistical analysis, resource allocation and 
planning; providing clinical and administrative support to patient 
healthcare; audits, reviews and investigations conducted by staff of 
the healthcare facility, the VISN's, VA Central Office, and the VA 
Office of Inspector General (OIG); sharing of health information 
between and among VHA, Department of Defense (DoD), Indian Health 
Services (IHS), and other government and private industry healthcare 
organizations; quality

[[Page 68046]]

improvement/assurance audits, reviews and investigations; personnel 
management and evaluation; employee ratings and performance 
evaluations, and employee disciplinary or other adverse action, 
including removal; advising healthcare professional licensing or 
monitoring bodies or similar entities of activities of VA and former VA 
healthcare personnel; and, accreditation of a VA healthcare facility by 
an entity such as The Joint Commission (TJC).

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The records include information concerning.
    1. Veterans who have applied for healthcare services under Title 
38, U.S.C., Chapter 17, and members of their immediate families.
    2. Spouse, surviving spouse, and children of Veterans who have 
applied for healthcare services under Title 38, U.S.C., Chapter 17.
    3. Other requesters or participants from outside VA for whom 
personal information will be collected.
    4. Individuals examined or treated under contract or resource 
sharing agreements.
    5. Individuals examined or treated for research or donor purposes.
    6. Individuals who have applied for Title 38 benefits, but who do 
not meet the requirements under Title 38 to receive such benefits.
    7. Individuals who were provided medical care under emergency 
conditions for humanitarian reasons.
    8. Pensioned members of allied forces provided healthcare services 
under Title 38, U.S.C., Chapter I.
    9. Current and former employees.
    10. Contractors employed by VA.

CATEGORIES OF RECORDS IN THE SYSTEM:
    There are three types of records in IEWeb:
    1. Ethics Consultation (EC) records document the consultation 
request, relevant consultation specific information, a summary of the 
information including the ethical analysis and moral deliberation, the 
explanation of the findings to relevant parties, and support of the 
consultation process. EC records also include related notes and 
attachments.
    These records may include information related to ethics 
consultations performed in and for VHA healthcare facilities. 
Information may include relevant information from a health record 
(e.g., a cumulative account of sociological, diagnostic, counseling, 
rehabilitation, drug and alcohol, dietetic, medical, surgical, dental, 
psychological, and/or psychiatric information compiled by VA 
professional staff and non-VA healthcare providers); subsidiary record 
information (e.g., tumor registry, dental, pharmacy, nuclear medicine, 
clinical laboratory, radiology, and patient scheduling information); 
identifying information (e.g., name, address, date of birth, partial 
Social Security number), military service information (e.g., dates, 
branch and character of service, service number, health information), 
family or authorized surrogate information (e.g., next-of-kin and 
person to notify in an emergency), employment information (e.g., 
occupation, employer name and address), and information pertaining to 
the individual's medical, surgical, psychiatric, dental, and/or 
treatment (e.g., information related to the chief complaint and history 
of present illness; information related to physical, diagnostic, 
therapeutic, special examinations, clinical laboratory, pathology and 
x-ray findings, operations, medical history, medications prescribed and 
dispensed, treatment plan and progress, consultations; photographs 
taken for identification and medical treatment, education and research 
purposes; facility locations where treatment is provided; observations 
and clinical impressions of healthcare providers to include identity of 
providers and to include, as appropriate, the present state of the 
patient's health, an assessment of the patient's emotional, behavioral, 
and social status, as well as an assessment of the patient's 
rehabilitation potential and nursing care needs). In addition, EC 
records may include the name(s) and contact information of healthcare 
providers, and information regarding healthcare rendered by those 
providers.
    2. Preventive Ethics (PE) records document work done to address 
recurring ethical concerns by applying quality improvement methods to 
identify and address ethics gaps on a systems level including intake 
forms and project record forms. PE records may include the name and 
contact information of VA employees as well as information about 
ethical standards, best ethics practices, current state, ethics quality 
gap, improvement goals, domains and topics, impact on patients and/or 
staff, prioritization, results, volume or scope of effect.
    3. Ethics Activity Log (EAL) records document education, training, 
clinical and administrative rounding, referrals and other ethics 
activities that do not relate to ethics consultation or preventive 
ethics activities. EAL records may include the name and contact 
information of VA employees as well as information such as a 
description of the ethics activity, domain, topic, and time spent.

RECORD SOURCE CATEGORIES:
    Information in this system of records is provided by the patient, 
family members or accredited representative, and friends, authorized 
surrogates, healthcare agents, employees, contractors, medical service 
providers, and various automated systems providing clinical and 
managerial support at VA healthcare facilities, ``Patient Medical 
Records-VA'' (24VA10A7), ``Veterans Health Information System and 
Technology Architecture (VistA) Records-VA'' (79VA10), and VA 
electronic health record systems.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    To the extent that records contained in the system may include 
information protected by 45 CFR parts 160 and 164, i.e., individually 
identifiable health information, and 38 U.S.C. 7332, i.e., medical 
treatment information related to drug abuse, alcoholism or alcohol 
abuse, sickle cell anemia, or infection with the Human Immunodeficiency 
Virus, that information may not be disclosed under a routine use unless 
there is also specific statutory authority in 38 U.S.C. 7332 and 
regulatory authority in 45 CFR parts 160 and 164 permitting disclosure.
    1. VA may disclose information to Federal, state, and local 
government agencies and national health organizations as reasonably 
necessary to assist in the development of programs that will be 
beneficial to claimants, to protect their rights under law, and assure 
that they are receiving all benefits to which they are entitled.
    2. Information may be disclosed by appropriate VA personnel to the 
extent necessary, on a need-to-know basis, and consistent with good 
medical-ethical practices, to family members or the persons with whom 
the patient has a meaningful relationship.
    3. VA may disclose information relevant to a claim of a Veteran or 
beneficiary, such as the name, address, the basis and nature of a 
claim, amount of benefit payment information, medical information, and 
military service and active duty separation information, only at the 
request of the claimant to accredited service organizations, VA-
approved claim agents, and attorneys acting under a declaration of 
representation, so that these individuals can aid claimants in the 
preparation, presentation, and prosecution of claims under the laws 
administered by VA.

[[Page 68047]]

    4. VA may disclose information to attorneys, insurance companies, 
employers, third parties liable or potentially liable under health plan 
contracts, and courts, boards, or commissions as relevant and necessary 
to aid VA in the preparation, presentation, and prosecution of claims 
authorized by law.
    5. VA may disclose information from this system to epidemiological 
and other research facilities approved by the Under Secretary for 
Health for research purposes determined to be necessary and proper, 
provided that the names and addresses of Veterans and their dependents 
will not be disclosed unless those names and addresses are first 
provided to VA by the facilities making the request.
    6. VA may disclose information to another Federal agency, court, or 
party in litigation before a court or in an administrative proceeding 
conducted by a Federal agency, when the government is a party to the 
judicial or administrative proceeding.
    7. Information concerning a non-judicially declared incompetent 
patient may be disclosed to a third party upon the written request of 
the patient's next-of-kin in order for the patient, or, consistent with 
the best interest of the patient, a member of the patient's family, to 
receive a benefit to which the patient or family member is entitled or 
to arrange for the patient's discharge from a VA medical facility. 
Sufficient data to make an informed determination will be made 
available to such next-of-kin. If the patient's next-of-kin is not 
reasonably accessible, the Chief of Staff, Director, or designee of the 
custodial VA medical facility may disclose the information for these 
purposes.
    8. VA may disclose information from this system to another Federal 
agency or Federal entity, when VA determines that information from this 
system of records is reasonably necessary to assist the recipient 
agency or entity in (1) responding to a suspected or confirmed breach 
or (2) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    9. VA may disclose information to: (1) A Federal agency or health 
care provider when VA refers a patient for medical and other health 
services, or authorizes a patient to obtain such services and the 
information is needed by the Federal agency or health care provider to 
perform the services; or (2) a Federal agency or to health care 
provider under the provisions of 38 U.S.C. 513, 7409, 8111, or 8153, 
when treatment is rendered by VA under the terms of such contract or 
agreement or the issuance of an authorization, and the information is 
needed for purposes of medical treatment or follow-up, determination of 
eligibility for benefits, or recovery by VA of the costs of the 
treatment.
    10. VA may disclose information to the National Practitioner Data 
Bank at the time of hiring or clinical privileging/re-privileging of 
health care practitioners, and other times as deemed necessary by VA, 
in order for VA to obtain information relevant to a Department decision 
concerning the hiring, privileging/re-privileging, retention, or 
termination of the applicant or employee.
    11. Information from an IEWeb record which relates to the 
performance of a healthcare student or provider may be disclosed to a 
medical or nursing school, or other healthcare related training 
institution, or other facility with which there is an affiliation, 
sharing agreement, contract, or similar arrangement when the student or 
provider is enrolled at or employed by the school or training 
institution, or other facility, and the information is needed for 
personnel management, rating and/or evaluation purposes.
    12. VA may disclose information from this system of records to 
individuals, organizations, private or public agencies, or other 
entities or individuals with whom VA has a contract or agreement to 
perform such services as VA may deem practicable for the purposes of 
laws administered by VA, in order for the contractor, subcontractor, 
public or private agency, or other entity or individual with whom VA 
has a contract or agreement to perform services under the contract or 
agreement. This routine use includes disclosures by an individual or 
entity performing services for VA to any secondary entity or individual 
to perform an activity that is necessary for individuals, 
organizations, private or public agencies, or other entities or 
individuals with whom VA has a contract or agreement to provide the 
service to VA.
    13. VA may disclose information to a Member of Congress or staff 
acting upon the Member's behalf when the Member or staff requests the 
information on behalf of, and at the request of, the individual who is 
the subject of the record.
    14. VA may disclose information to National Archives and Records 
Administration (NARA) in records management inspections conducted under 
44 U.S.C. 2904 and 2906, or other functions authorized by laws and 
policies governing NARA operations and VA records management 
responsibilities.
    15. VA may disclose information to the DoJ or in a proceeding 
before a court, adjudicative body, or other administrative body before 
which VA is authorized to appear, when:
    (a) VA or any component thereof;
    (b) Any VA employee in his or her official capacity;
    (c) Any VA employee in his or her official capacity where DoJ has 
agreed to represent the employee; or
    (d) The United States, where VA determines that litigation is 
likely to affect the agency or any of its components,

    is a party to such proceedings or has an interest in such 
proceedings, and VA determines that use of such records is relevant and 
necessary to the proceedings.
    16.VA may disclose information that, either alone or in conjunction 
with other information, indicates a violation or potential violation of 
law, whether civil, criminal, or regulatory in nature, to a Federal, 
state, local, territorial, tribal, or foreign law enforcement authority 
or other appropriate entity charged with the responsibility of 
investigating or prosecuting such violation or charged with enforcing 
or implementing such law. The disclosure of the names and addresses of 
Veterans and their dependents from VA records under this routine use 
must also comply with the provisions of 38 U.S.C. 5701.
    17. VA may disclose information to other Federal agencies to assist 
such agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    18. VA may disclose any information or records to appropriate 
agencies, entities, and persons when (1) VA suspects or has confirmed 
that there has been a breach of the system of records; (2) VA has 
determined that as a result of the suspected or confirmed breach there 
is a risk to individuals, VA (including its information systems, 
programs, and operations), the Federal Government, or national 
security; and (3) the disclosure made to such agencies, entities, or 
persons reasonably necessary to assist in connection with VA efforts to 
respond to the suspected or confirmed breach or to prevent, minimize, 
or remedy such harm.
    19. VA may disclose information to survey teams of The Joint 
Commission, College of American Pathologists, American Association of 
Blood Banks, and similar national accreditation agencies or boards with 
which VA has

[[Page 68048]]

a contract or agreement to conduct such reviews, as relevant and 
necessary for the purpose of program review or the seeking of 
accreditation or certification.
    20. VA may disclose ethics consultation records to groups (e.g., 
American Society for Bioethics and the Humanities) performing 
improvement or quality assessments as part of approved research or 
quality improvement projects with respect to ethics consultation 
practices.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are maintained on the VA Salesforce Government Cloud (i.e., 
Federal Risk Authorization Management Program (FedRAMP) certified 
cloud). Subsidiary record information is maintained at the various 
respective IntegratedEthics services within the VHA healthcare facility 
and by individuals, organizations, and/or agencies with whom VA has a 
contract or agreement to perform such services, as the VA may deem 
practicable.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are retrieved by record number, name of ethics consultant 
and other VA staff, requester, ethics domain or topic, facility, 
keywords or phrases.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records that are stored within Computerized Patient Record System 
(CPRS) and Veterans Health Information Systems and Technology 
Architecture (VistA) will be maintained in accordance with Record 
Control Schedule (RCS) 10-1 Item 6000.2, Electronic Health Records, 
NARA job# N1-15-02-3. All other records maintained outside the 
Electronic Health Record will be maintained in accordance with General 
Records Schedule (GRS) 2.8 Ethics Program Records Item 010.

ADMINSITRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Salesforce Government Cloud is maintaining underlying physical 
infrastructure. Additional ISA and MOU are required between the VA and 
VA designated contractors/vendors that own the data that is stored or 
processed within Salesforce Development Platform VA. The vendor-
specific agreements will describe the data ownership and storage 
requirements. The parties agree that transmission, storage and 
management of VA sensitive information residing in the Salesforce 
Development Platform VA is the sole responsibility of VA employees or 
designated contractors/vendors assigned to manage the system. At no 
time will Salesforce Government Cloud have any access to VA data 
residing within the Salesforce Development Platform VA. Thus, all 
agreements on data and system responsibilities shall not be covered in 
this base agreement (i.e., MOU). However, Salesforce Government Cloud 
shall provide the tools to allow VA to properly secure all systems and 
data hosted in the Salesforce Development Platform VA.

RECORD ACCESS PROCEDURE:
    Individuals seeking information regarding access to and contesting 
of records in this system may write, call or visit the VA healthcare 
facility location where they are or were employed or made contact or 
they may write to the National Center for Ethics in Health Care at 810 
Vermont Avenue NW, Washington, DC 20420.

CONTESTING RECORD PROCEDURES:
    (See Record Access Procedures above.)

NOTIFICATION PROCEDURE:
    Individuals seeking information regarding access to and contesting 
of IEWeb records may write, call, or visit the last VA healthcare 
facility where healthcare was provided or by writing to the National 
Center for Ethics in Health Care at 810 Vermont Avenue NW, Washington, 
DC 20420.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    Last full publication provided in 81 FR 5033 dated January 29, 
2016.

[FR Doc. 2021-26026 Filed 11-29-21; 8:45 am]
BILLING CODE 8320-01-P