[Federal Register Volume 88, Number 178 (Friday, September 15, 2023)]
[Notices]
[Pages 63678-63680]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-20044]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA), Veterans Health 
Administration (VHA).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the Privacy Act of 1974, notice is hereby given 
that the VA is modifying the system of records entitled, ``Customer 
Relationship Management System (CRMS)-VA'' (155VA10NB). This system is 
used for historical reference, quality assurance, training, and 
statistical reporting.

DATES: Comments on this modified system of records must be received no 
later than 30 days after date of publication in the Federal Register. 
If no public comment is received during the period allowed for comment 
or unless otherwise published in the Federal Register by the VA, the 
modified system of records will become effective a minimum of 30 days 
after date of publication in the Federal Register. If VA receives 
public comments, VA shall review the comments to determine whether any 
changes to the notice are necessary.

ADDRESSES: Comments may be submitted through www.Regulations.gov or 
mailed to VA Privacy Service, 810 Vermont Avenue NW, (005X6F), 
Washington, DC 20420. Comments should indicate that they are submitted 
in response to ``Customer Relationship Management System (CRMS)-VA'' 
(155VA10NB). Comments received will be available at regulations.gov for 
public viewing, inspection or copies.

FOR FURTHER INFORMATION CONTACT: Stephania Griffin, Veterans Health 
Administration (VHA) Chief Privacy Officer, Department of Veterans 
Affairs, 810 Vermont Avenue NW, Washington, DC 20420; telephone 704-
245-2492 (Note: this is not a toll-free number) or 
[email protected].

SUPPLEMENTARY INFORMATION: VA is amending the system of records by 
revising the System Number; System Location; System Manager; Purpose of 
the System; Categories of Records in the System; Records Source 
Categories; Routine Uses of Records Maintained in the System; Policies 
and Practices for Retention and Disposal of Records; and Administrative 
Technical and Physical Safeguards. VA is republishing the system notice 
in its entirety.
    The System Number is being updated from 155VA10NB to 155VA10 to 
reflect the current VHA organizational routing symbol.
    The System Location and the Administrative, Technical and Physical 
Safeguards sections are being updated to replace Health Resource Center 
with VHA Member Services. The System Location will also be updated to 
include, ``Information from these records or copies of these records 
may be maintained at VA Enterprise Cloud Data Centers/Amazon Web 
Services, 1915 Terry Avenue, Seattle, WA 98101.''
    The System Manager is updated to replace Chief Business Officer 
(10NB), with Deputy Under Secretary for Health and Operations, VHA 
Member Services. Also, Director, Health Resource Center is replaced 
with Director, VHA Member Services.
    The Purpose of the System is being modified to include, ``tracking 
and managing inbound and outbound customer contacts across channels 
(e.g., telephone, email, mail, chat), and maintaining customer support 
history. These records are used by Member Services Call Center agents 
to provide customer support to Veterans and their family members by 
allowing agents to resolve inbound calls and achieve first-call 
resolution as well as provide an efficient desktop, workflow, contact 
history and knowledge management capabilities. These records are also 
used to answer Veteran questions about VA and their care and enhance 
VA's ability to provide timely, valid responses to Veteran inquiries 
about benefits, eligibility and other matters.''
    The Categories of Records in the System is being updated to include 
name and Social Security Number.
    The Record Source Categories is being modified to include, ``VA 
information systems, including but not limited to, Health Data 
Repository, Veterans Experience Integration Solution, VA Profile, 
Consolidated Copayment Processing Center System, and Master Person 
Index.''
    Routine Use number 8 is being removed, which states, ``Disclosure 
may be made to those officers and employees of the agency that 
maintains the record who have a need for the record in the performance 
of their duties.'' Routine use number 8 will now be replaced with a new 
routine use to state, ``To another Federal agency or Federal entity, 
when VA determines that information from this system of records is 
reasonably necessary to assist the recipient agency or entity in (1) 
responding to a suspected or confirmed breach or (2) preventing, 
minimizing, or remedying the risk of harm to individuals, the recipient 
agency or entity (including its information systems, programs and 
operations), the Federal Government, or national security, resulting 
from a suspected or confirmed breach.''
    Policies and Practices for Storage of Records is being updated to 
remove the VA Office of Information Technology (OIT) approved location.
    Policies and Practices for Retention and Disposal of Records is 
being updated to remove, ``Electronic Service Records are purged when 
they are no longer needed for current operation.'' This section is 
updated to state, ``CRMS records will be maintained and disposed of in 
accordance with the schedule approved by the Archivist of the United 
States, Records Control Schedule (RCS) 10-1, 1925.1, Destroy 1 year 
after resolved, or when no longer needed for business use, whichever is 
appropriate.''
    Administrative, Technical and Physical Safeguards is being updated 
to include number 6, ``VA Enterprise Cloud data storage conforms to 
security protocols as stipulated in VA Directives 6500 and 6517. Access 
control standards are stipulated in specific agreements with cloud 
vendors to restrict and monitor access.''
    The Report of Intent to Amend a System of Records Notice and an 
advance copy of the system notice have been sent to the appropriate 
Congressional committees and to the Director of the Office of 
Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy 
Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

Signing Authority

    The Senior Agency Official for Privacy, or designee, approved this 
document and authorized the

[[Page 63679]]

undersigned to sign and submit the document to the Office of the 
Federal Register for publication electronically as an official document 
of the Department of Veterans Affairs. Kurt D. DelBene, Assistant 
Secretary for Information and Technology and Chief Information Officer, 
approved this document on August 7, 2023 for publication.

    Dated: September 12, 2023.
Amy L. Rose,
Government Information Specialist, VA Privacy Service, Office of 
Compliance, Risk and Remediation, Office of Information and Technology, 
Department of Veterans Affairs.

SYSTEM NAME:
    ``Customer Relationship Management System (CRMS)-VA'' (155VA10).

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Records and magnetic media are maintained at the Veterans Health 
Administration (VHA) Member Services, Topeka, Kansas facility or at 
another Office of Information Technology (OIT) approved location. 
Magnetic media are also stored at an OIT approved location for 
contingency back-up purposes. In addition, information from these 
records or copies of these records may be maintained at the Department 
of Veterans Affairs (VA) Enterprise Cloud Data Centers/Amazon Web 
Services, 1915 Terry Avenue, Seattle, WA 98101.

SYSTEM MANAGER(S):
    Official responsible for policies and procedures: Deputy Under 
Secretary for Health and Operations, VHA Member Services, VA Central 
Office, 810 Vermont Avenue NW, Washington, DC 20420. Telephone number 
202-461-4239 (this is not a toll-free number). Official maintaining the 
system: Director, VHA Member Services, 3401 SW 21st Street Bldg. 9, 
Topeka, Kansas 66604.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    38 U.S.C. 501(a), 1705, 1710, 1722, 1722(a), 1781 and 5 U.S.C. 
552(a).

PURPOSE(S) OF THE SYSTEM:
    The purpose of these records is used for historical reference, 
quality assurance, training, statistical reporting, tracking and 
managing inbound and outbound customer contacts across channels (e.g., 
telephone, email, mail, chat), and maintaining customer support 
history. These records are used by Member Services Call Center agents 
to provide customer support to Veterans and their family members by 
allowing agents to resolve inbound calls and achieve first-call 
resolution as well as provide an efficient desktop, workflow, contact 
history and knowledge management capabilities. These records are also 
used to answer Veteran questions about VA and their care and enhance 
VA's ability to provide timely, valid responses to Veteran inquiries 
about benefits, eligibility and other matters.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    These records include information on Veterans, Veteran's family 
members, members of the general public, VA customers, and VA employees.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records include name, Social Security Number, address, date of 
birth, military identification number and other unique identifiers from 
individuals contacting VHA concerning: 1. Veteran health benefits 
eligibility and health care appointment request; 2. Veteran medical 
claims processing and payments; 3. Co-payments charged for medical care 
and prescriptions; 4. General administrative pharmacy inquiries; 5. 
General human resources management, (e.g., employee benefits, 
recruitment/job applicants, etc.); and 6. Other information related to 
Veterans, Veteran's family members, members of the general public, VA 
customers, and VA employees.

RECORD SOURCE CATEGORIES:
    Information in this system of records may be provided by Veterans, 
Veteran's family members, members of the general public, VA customers, 
VA employees, and VA information systems, including but not limited to, 
Health Data Repository, Veterans Experience Integration Solution, VA 
Profile, Consolidated Copayment Processing Center System, and Master 
Person Index.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    To the extent that records contained in the system include 
information protected by 45 CFR parts 160 and 164, i.e., individually 
identifiable health information of VHA or any of its business 
associates, and 38 U.S.C. 7332; i.e., medical treatment information 
related to drug abuse, alcoholism or alcohol abuse, sickle cell anemia, 
or infection with the human immunodeficiency virus, that information 
cannot be disclosed under a routine use unless there is also specific 
statutory authority in both 38 U.S.C. 7332 and CFR parts 160 and 164 
permitting disclosure.
    1. Congress: To a Member of Congress or staff acting upon the 
Member's behalf when the Member or staff requests the information on 
behalf of, and at the request of, the individual who is the subject of 
the record.
    2. National Archives and Records Administration (NARA): To the NARA 
in records management inspections conducted under 44 U.S.C. 2904 and 
2906, or other functions authorized by laws and policies governing NARA 
operations and VA records management responsibilities.
    3. Department of Justice (DoJ), Litigation, Administrative 
Proceeding: To the DoJ, or in a proceeding before a court, adjudicative 
body, or other administrative body before which VA is authorized to 
appear, when:
    (a) VA or any component thereof;
    (b) Any VA employee in his or her official capacity;
    (c) Any VA employee in his or her official capacity where DoJ has 
agreed to represent the employee; or
    (d) The United States, where VA determines that litigation is 
likely to affect the agency or any of its components, is a party to 
such proceedings or has an interest in such proceedings, and VA 
determines that use of such records is relevant and necessary to the 
proceedings.
    4. Contractors: To contractors, grantees, experts, consultants, 
students and others performing or working on a contract, service, 
grant, cooperative agreement, or other assignment for VA, when 
reasonably necessary to accomplish an agency function related to the 
records.
    5. Law Enforcement: To a Federal, state, local, territorial, tribal 
or foreign law enforcement authority or other appropriate entity 
charged with the responsibility of investigating or prosecuting such 
violation or charged with enforcing or implementing such law, provided 
that the disclosure is limited to information that, either alone or in 
conjunction with other information, indicates a violation or potential 
violation of law, whether civil, criminal, or regulatory in nature. The 
disclosure of the names and addresses of Veterans and their dependents 
from VA records under this routine use must also comply with the 
provisions of 38 U.S.C. 5701.
    6. Federal Agencies, Fraud and Abuse: To other Federal agencies to 
assist such agencies in preventing and detecting possible fraud or 
abuse by individuals in their operations and programs.
    7. Data Breach Response and Remediation, for VA: To appropriate 
agencies, entities and persons when (1)

[[Page 63680]]

VA suspects or has confirmed that there has been a breach of the system 
of records; (2) VA has determined that as a result of the suspected or 
confirmed breach there is a risk to individuals, VA (including its 
information systems, programs and operations), the Federal Government, 
or national security; and (3) the disclosure made to such agencies, 
entities or persons is reasonably necessary to assist in connection 
with VA efforts to respond to the suspected or confirmed breach or to 
prevent, minimize or remedy such harm.
    8. Data Breach Response and Remediation, for Another Federal 
Agency: To another Federal agency or Federal entity, when VA determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (1) responding to a suspected 
or confirmed breach or (2) preventing, minimizing, or remedying the 
risk of harm to individuals, the recipient agency or entity (including 
its information systems, programs and operations), the Federal 
Government, or national security, resulting from a suspected or 
confirmed breach.
    9. Unions: To unions identified in 5 U.S.C. 7114(b)(4) to officials 
of labor organizations recognized under 5 U.S.C. Chapter 71 when 
relevant and necessary to their duties of exclusive representation 
concerning personnel policies, practices and matters affecting working 
conditions.
    10. Merit Systems Protection Board (MSPB): To the MSPB in 
connection with appeals, special studies of the civil service and other 
merit systems, review of rules and regulations, investigation of 
alleged or possible prohibited personnel practices, and such other 
functions promulgated in 5 U.S.C. 1205 and 1206, or as otherwise 
authorized by law.
    11. Equal Employment Opportunity Commission (EEOC): To the EEOC in 
connection with investigations of alleged or possible discriminatory 
practices, examination of Federal affirmative employment programs, or 
other functions of the Commission as authorized by law.
    12. Federal Labor Relations Authority (FLRA): To the FLRA in 
connection with the investigation and resolution of allegations of 
unfair labor practices, the resolution of exceptions to arbitration 
awards when a question of material fact is raised; matters before the 
Federal Service Impasses Panel; and the investigation of representation 
petitions and the conduct or supervision of representation elections.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are stored on electronic media.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records in this system are retrieved by name, Social Security 
Number or other assigned identifiers of the individuals on whom they 
are maintained.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    CRMS records will be maintained and disposed of in accordance with 
the schedule approved by the Archivist of the United States, Records 
Control Schedule (RCS) 10-1, 1925.1, Destroy one year after resolved, 
or when no longer needed for business use, whichever is appropriate.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    1. All entrance doors to the VHA Member Services Topeka, KS and 
Waco, TX locations require an electronic pass card to gain entry. Hours 
of entry to the facility are controlled based on position held and 
special needs. Visitors to the VHA Member Services are required to 
sign-in at a specified location and are escorted the entire time they 
are in the building or they are issued a temporary visitors badge. At 
the end of the visit, visitors are required to turn in their badge. The 
building is equipped with an intrusion alarm system which is activated 
when any of the doors are forced open or held ajar for a specified 
length of time. During business hours, the security system is monitored 
by the VA police and Member Services staff. After business hours, the 
security system is monitored by the VA telephone operator(s) and VA 
police. The VA police conduct visual security checks of the outside 
perimeter of the building.
    2. Access to the building is generally restricted to Member 
Services staff and VA police, specified custodial personnel, 
engineering personnel, and canteen service personnel.
    3. Access to computer rooms is restricted to authorized VA OIT 
personnel and requires entry of a personal identification number (PIN) 
with the pass card swipe. PINs must be changed periodically. All other 
persons gaining access to computer rooms are escorted. Information 
stored in the computer may be accessed by authorized VA employees at 
remote locations including the Health Eligibility Center in Atlanta, 
GA; Health Administration Center in Denver, CO; Consolidated Patient 
Accounting Center in Ashville, NC; and VA health care facilities.
    4. All Member Services employees receive information security and 
privacy awareness training and sign the Rules of Behavior; training is 
provided to all employees on an annual basis. The Member Services 
Information System Security Officer performs an annual information 
security audit and periodic reviews to ensure the security of the 
system.
    5. For contingency purposes, database backups on magnetic media are 
stored off-site at an approved VA OIT location.
    6. VA Enterprise Cloud data storage conforms to security protocols 
as stipulated in VA Directives 6500 and 6517. Access control standards 
are stipulated in specific agreements with cloud vendors to restrict 
and monitor access.

RECORD ACCESS PROCEDURE:
    Individuals seeking information on the existence and content of a 
related record in this system pertaining to them should contact the 
system manager in writing as indicated above or may write or visit the 
VA facility location where they normally receive their care.

CONTESTING RECORD PROCEDURES:
    Individuals seeking to contest or amend records in this system 
pertaining to them should contact the system manager in writing as 
indicated above or inquire in person at the VA health care facility 
they normally receive their care. A request to contest or amend records 
must state clearly and concisely what record is being contested, the 
reasons for contesting it, and the proposed amendment to the record.

NOTIFICATION PROCEDURE:
    Generalized notice is provided by the publication of this notice. 
For specific notice, see Record Access Procedure, above.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    73 FR 72123 (November 26, 2008), 80 FR 11531 (March 3, 2015).

[FR Doc. 2023-20044 Filed 9-14-23; 8:45 am]
BILLING CODE P