AGENCY:

Department of Veterans Affairs (VA), Veterans Health Administration (VHA).

ACTION:

Notice of a new system of records.

SUMMARY:

The Privacy Act of 1974 requires that all agencies publish in the Federal Register a notice of the existence and character of their systems of records. Notice is hereby given that the Department of Veterans Affairs (VA) is establishing a new system of records entitled, “Community Care (CC) Provider Profile Management System (PPMS)-VA” (186VA10D).

DATES:

Comments on this new system of records must be received no later than 30 days after date of publication in the Federal Register. If no public comment is received during the period allowed for comment or unless otherwise published in the Federal Register by VA, the new system of records will become effective a minimum of 30 days after date of publication in the Federal Register. If VA receives public comments, VA shall review the comments to determine whether any changes to the notice are necessary.

ADDRESSES:

Written comments concerning the new system of records may be submitted by: Mail or hand-delivery to Director, Regulations Management (00REG), Department of Veterans Affairs, 810 Vermont Avenue NW, Room 1068, Washington, DC 20420; fax to (202) 273-9026; or Email to http://www.Regulations.gov. Comments should indicate that they are submitted in response to “Community Care Provider Profile Management System (PPMS)-VA” (186VA10D). All comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8:00 a.m. and 4:30 p.m., Monday through Friday (except holidays). Please call (202) 461-4902 (this is not a toll-free number) for an appointment.

FOR FURTHER INFORMATION CONTACT:

CC Program Manager Office of Information and Technology (OIT), Enterprise Portfolio Management Division (EPMD), St. Petersburg Field Office, 9500 Bay Pines Boulevard, St. Petersburg, Florida 33708, Mailing Address: P.O. Box 1437, St. Petersburg, Florida 33708; telephone at (727) 230-9032 (this is not a toll-free number). VHA Office of Community Care, P.O. Box 469066, Denver, Colorado 80246.

SUPPLEMENTARY INFORMATION:

I. Description of Proposed Systems of Records

The Community Care (CC) Provider Profile Management System (PPMS) is focused on the implementation and maintenance of a provider directory to be used by the multiple VA portfolios in maintaining the Community Care Network (CCN), TriWest Patient-Centered Community Care (PC3) and Choice Program, Individual Care Agreements, Veteran Care Agreements, VA Medical Center (VAMC) Local Contracts, Indian Health Service Providers, Department of Defense facilities, and VAMC providers.

II. Proposed Routine Use Disclosures of Data in the System

We are proposing to establish the following Routine Use disclosures of information maintained in the system. PPMS will collect and retain personally identifiable information on non-VA health care providers. VA Provider publically available data is retained in the system, no personally identifiable information is collected on VA providers. These providers will be conducting health services with VA.

1. VA may disclose information from the record of an individual in response to an inquiry from the congressional office made at the request of that individual. VA must be able to provide information about individuals to adequately respond to inquiries from Members of Congress at the request of constituents who have sought their assistance.

2. VA may disclose any information or records to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that there has been a breach of the system of records; (2) VA has determined that as a result of the suspected or confirmed breach there is a risk to individuals, VA (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, or persons is reasonably necessary to assist in connection with VA efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

3. VA may disclose information in this system of records to the Department of Justice (DoJ), either on VA's initiative or in response to DoJ's request for the information, after either VA or DoJ determines that such information is relevant to DoJ's representation of the United States or any of its components in legal proceedings before a court or Start Printed Page 6980adjudicative body, provided that, in each case, the agency also determines prior to disclosure that release of the records to the DoJ is limited to circumstances where relevant and necessary to the litigation. VA may disclose records in this system of records in legal proceedings before a court or administrative body after determining that release of the records to the DoJ is limited to circumstances where relevant and necessary to the litigation.

4. VA may disclose information from this system of records to individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to perform such services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor, subcontractor, public or private agency, or other entity or individual with whom VA has a contract or agreement to perform services under the contract or agreement. This routine use includes disclosures by an individual or entity performing services for VA to any secondary entity or individual to perform an activity that is necessary for individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to provide the service to VA. This routine use, which also applies to agreements that do not qualify as contracts defined by Federal procurement laws and regulations, is consistent with OMB guidance in OMB Circular A-130, App. I, paragraph 5a(1)(b) that agencies promulgate routine uses to address disclosure of Privacy Act-protected information to contractors in order to perform the services contracts for the agency.

5. VA may disclose information from this system to the Equal Employment Opportunity Commission (EEOC) when requested in connection with investigations of alleged or possible discriminatory practices, examination of Federal affirmative employment programs, or other functions of the Commission as authorized by law or regulation. VA must be able to provide information to EEOC to assist it in fulfilling its duties to protect employees' rights, as required by statute and regulation.

6. VA may disclose information from this system to the Federal Labor Relations Authority (FLRA), including its General Counsel, information related to the establishment of jurisdiction, investigation, and resolution of allegations of unfair labor practices, or in connection with the resolution of exceptions to arbitration awards when a question of material fact is raised; for it to address matters properly before the Federal Services Impasses Panel, investigate representation petitions, and conduct or supervise representation elections. VA must be able to provide information to FLRA to comply with the statutory mandate under which it operates.

7. VA may disclose information from this system to the Merit Systems Protection Board (MSPB), or the Office of the Special Counsel, when requested in connection with appeals, special studies of the civil service and other merit systems, review of rules and regulations, investigation of alleged or possible prohibited personnel practices, and such other functions promulgated in 5 U.S.C. 1205 and 1206, or as authorized by law. VA must be able to provide information to MSPB to assist it in fulfilling its duties as required by statute and regulation.

8. VA may disclose information from this system to the National Archives and Records Administration (NARA) and General Services Administration (GSA) in records management inspections conducted under title 44, U.S.C. NARA is responsible for archiving old records which are no longer actively used but may be appropriate for preservation, and for the physical maintenance of the Federal government's records. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.

9. VA may disclose relevant information to: (1) A Federal agency or CC institutions and providers when VA refers a patient for hospital or nursing home care or medical services, or authorizes a patient to obtain non-VA medical services and the information is needed by the Federal agency or non-VA institution or provider to perform the services; or (2) a Federal agency or to a non-VA hospital (Federal, state, and local public or private) or other medical installation having hospital facilities, organ banks, blood banks, or similar institutions, medical schools or clinics, or other groups or individuals that have contracted or agreed to provide medical services or share the use of medical resources under the provisions of 38 U.S.C. 513, 7409, 8111, or 8153, when treatment is rendered by VA under the terms of such contract or agreement or the issuance of an authorization, and the information is needed for purposes of medical treatment and/or follow-up, determining entitlement to a benefit, or for VA to effect recovery of the costs of the medical care.

10. VA may disclose information in this system, to a Federal, state, or local agency maintaining civil or criminal violation records, or other pertinent information such as prior employment history, prior Federal employment background investigations, and/or personal or educational background in order for VA to obtain information relevant to the hiring, transfer or retention of an employee, the letting of a contract, the granting of a security clearance, or the issuance of a grant or other benefit.

11. VA may disclose information from this system of records to a Federal agency or the District of Columbia government, in response to its request, in connection with the hiring or retention of an employee and the issuance of a security clearance as required by law, the reporting of an investigation of an employee, the issuance of a license, grant, or other benefit by the requesting agency, to the extent that the information is relevant and necessary to the requesting agency's decision.

12. Any information in this system may be disclosed to a state or local agency, upon its official request, to the extent that it is relevant and necessary to that agency's decision on: The hiring, transfer or retention of an employee, the issuance of a security clearance, the letting of a contract, or the issuance or continuance of a license, grant or other benefit by the agency; provided, that the name and address is provided first by the requesting state or local agency.

13. VA may disclose information concerning CC providers, including name, address, and national provider idententification numbers which may be disclosed to the Department of the Treasury, Internal Revenue Service, to report calendar year earnings of $600 or more for income tax reporting purposes.

14. VA may disclose information to the Department of the Treasury to facilitate payments to physicians, clinics, and pharmacies for reimbursement of services rendered, and to veterans for reimbursements of authorized expenses, or to collect, by set off or otherwise, debts owed the United States.

15. VA may disclose any relevant information from this system of records to attorneys, insurance companies, employers, third parties liable or potentially liable under health plan contracts, and to courts, boards, or commissions, but only to the extent necessary to aid VA in the preparation, presentation, and prosecution of claims authorized under Federal, state, or local laws, and regulations promulgated thereunder.Start Printed Page 6981

16. VA may disclose identifying information in this system, including name, address, social security number, and other information as is reasonably necessary to identify such individual, to the National Practitioner Data Bank at the time of hiring and/or clinical privileging/re-privileging of health care practitioners, and other times as deemed necessary by VA, in order for VA to obtain information relevant to a Department decision concerning the hiring, privileging/re-privileging, retention, or termination of the applicant or employee.

17. VA may disclose relevant information from this system of records to the National Practitioner Data Bank and/or State Licensing Board in the state(s) in which a practitioner is licensed, in which the VA facility is located, and/or in which an act or omission occurred upon which a medical malpractice claim was based when VA reports information concerning: (1) Any payment for the benefit of a physician, dentist, or other licensed health care practitioner which was made as the result of a settlement or judgment of a claim of medical malpractice, if an appropriate determination is made in accordance with Department policy that payment was related to substandard care, professional incompetence, or professional misconduct on the part of the individual; (2) a final decision which relates to possible incompetence or improper professional conduct that adversely affects the clinical privileges of a physician or dentist for a period longer than 30 days; or (3) the acceptance of the surrender of clinical privileges or any restriction of such privileges by a physician or dentist, either while under investigation by the health care entity relating to possible incompetence or improper professional conduct, or in return for not conducting such an investigation or proceeding. These records may also be disclosed as part of a computer matching program to accomplish these purposes.

18. VA may disclose information from this system of records to a Federal agency or to a state or local government licensing board and/or to the Federation of State Medical Boards or a similar non-governmental entity which maintains records concerning individuals' employment histories or concerning the issuance, retention, or revocation of licenses, certifications, or registration necessary to practice an occupation, profession, or specialty, to inform a Federal agency or licensing boards or the appropriate non-governmental entities about the health care practices of a terminated, resigned, or retired health care employee whose professional health care activity so significantly failed to conform to generally accepted standards of professional medical practice as to raise reasonable concern for the health and safety of patients in the private sector or from another Federal agency. These records may also be disclosed as part of an ongoing computer matching program to accomplish these purposes.

19. For program review purposes and the seeking of accreditation and/or certification, VA may disclose health care information to survey teams of the Joint Commission, College of American Pathologists, American Association of Blood Banks, and similar national accreditation agencies or boards with which VA has a contract or agreement to conduct such reviews, but only to the extent that the information is necessary and relevant to the review.

20. VA may disclose information from this system to another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

21. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.

22. VA may disclose information in this system which is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal or regulatory in nature and whether arising by general or program statute or by regulation, rule or order issued pursuant thereto, to a Federal, state, local, tribal, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule or order. VA may also disclose the names and addresses of providers to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto.

III. Compatibility of the Proposed Routine Uses

The Privacy Act permits VA to disclose information about individuals without their consent for a routine use when the information will be used for a purpose that is compatible with the purpose for which VA collected the information. In all of the routine use disclosures described above, either the recipient of the information will use the information in connection with a matter relating to one of VA's programs, to provide a benefit to VA, or to disclose information as required by law.

Under section 264, Subtitle F of Title II of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Public Law 104-191, 100 Stat. 1936, 2033-34 (1996), the United States Department of Health and Human Services (HHS) published a final rule, as amended, establishing Standards for Privacy of Individually-Identifiable Health Information, 45 CFR parts 160 and 164. Veterans Health Administration (VHA) may not disclose individually identifiable health information (as defined in HIPAA and the Privacy Rule, 42 U.S.C. 1320(d)(6) and 45 CFR 164.501) pursuant to a routine use unless either: (a) The disclosure is required by law, or (b) the disclosure is also permitted or required by HHS' Privacy Rule. The disclosures of individually-identifiable health information contemplated in the routine uses published in this new system of records notice are permitted under the Privacy Rule or required by law. However, to also have authority to make such disclosures under the Privacy Act, VA must publish these routine uses. Consequently, VA is publishing these routine uses to the routine uses portion of the system of records notice stating that any disclosure pursuant to the routine uses in this system of records notice must be either required by law or permitted by the Privacy Rule, before VHA may disclose the covered information.

The notice of intent to publish and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director, Office of Management and Budget, as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

Signing Authority

The Senior Agency Official for Privacy, or designee, approved this document and authorized the undersigned to sign and submit the document to the Office of the Federal Register for publication electronically as an official document of the Department of Veterans Affairs. James P. Gfrerer, Assistant Secretary of Information and Technology and Chief Information Start Printed Page 6982Officer, approved this document on May 15, 2020 for publication.

SYSTEM NAME AND NUMBER:

Community Care (CC) Provider Profile Management System (PPMS)-VA (186VA10D)

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

Records are managed by the VHA Office of Community Care (Program Office), 3773 Cherry Creek North Drive, Denver, CO 80209.

Microsoft Azure Cloud customer service: 1-855-270-0615, Privacy Data Management: https://azure.microsoft.com/​en-us/​privacy-data-management/​.

SYSTEM MANAGER(S):

CC Program Manager, VHA Office of Community Care, P.O. Box 469066, Denver, CO 80246. Telephone number 303-398-3479 (this is not a toll-free number).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Public Law 104-191; 5 U.S.C. 301; 38 U.S. Code § 1703; 45 Code of Federal Regulations (CFR) part 164; and 4 CFR 103.

PURPOSE(S) OF THE SYSTEM:

The Community Care (CC) Provider Profile Management System (PPMS) is a comprehensive repository of information of VA community providers. PPMS collect and retain personally identifiable information on CC health care providers or CC providers. VA maintains a directory of medical providers internal VAMC medical providers and external CC providers which comprise the Community Care Provider Network.

Provider data is collected in two ways. The CC provider's date of birth, tax identification number and/or Social Security Number will be collected by CCN contractors and submitted electronically directly to PPMS via PPMS secure Integrated Web Services (IWS). A second method of collecting the date is by the Medical Support Assistants (MSA), Program Support Assistants (PSA), Registered Nurses (RN), and Social Workers (Geriatrics and Extended Care (GEC)) at the local VA facility. PPMS will provide increased timeliness and quality service to Veterans by improved tracking of provider relationships and validating data elements, as well as enterprise wide accessibility to a comprehensive list of provider information for referrals and scheduling CC services for Veterans.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

These records may include information on:

(1) VA health care providers: This may include, but not limited to Dentists, Licensed Practical or Vocational Nurses, Registered Nurses, Audiologists, Physician Assistants, Physicians, Podiatrists.

(2) Non-VA health care providers (CC providers) who through a contractual agreement or other agreement may be providing health care services to VA patients.

CATEGORIES OF RECORDS IN THE SYSTEM:

The records may include VA providers and non-VA provider's information related to: name, status, provider type, provider name, national provider identifier/index, provider identifier type, status reason, quality ranking total score, quality ranking last updated, preferred provider, main phone, email, billing address, internal control number, geo code, language, license number, drug enforcement administration registration number, certification, tax identification/social security number and non-VA provider's date of birth.

RECORD SOURCE CATEGORIES:

Medical Providers or accredited representatives, and other third parties; private medical facilities and health care professionals; other Federal agencies; employees; contractors; VHA facilities and automated systems providing clinical and managerial support at VA health care facilities.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

To the extent that records contained in the system include information protected by 45 CFR parts 160 and 164, i.e., individually identifiable health information, and 38 U.S.C. 7332, i.e., medical treatment information related to drug abuse, alcoholism or alcohol abuse, sickle cell anemia or infection with the human immunodeficiency virus, that information cannot be disclosed under a routine use unless there is also specific statutory authority in 38 U.S.C. 7332 and regulatory authority in 45 CFR parts 160 and 164 permitting disclosure.

1. VA may disclose information from the record of an individual in response to an inquiry from the congressional office made at the request of that individual. VA must be able to provide information about individuals to adequately respond to inquiries from Members of Congress at the request of constituents who have sought their assistance.

2. VA may disclose any information or records to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that there has been a breach of the system of records; (2) VA has determined that as a result of the suspected or confirmed breach there is a risk to individuals, VA (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, or persons is reasonably necessary to assist in connection with VA efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

3. VA may disclose information in this system of records to DoJ, either on VA's initiative or in response to DoJ's request for the information, after either VA or DoJ determines that such information is relevant to DoJ's representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that release of the records to the DoJ is limited to circumstances where relevant and necessary to the litigation. VA may disclose records in this system of records in legal proceedings before a court or administrative body after determining that release of the records to the DoJ is limited to circumstances where relevant and necessary to the litigation.

4. VA may disclose information from this system of records to individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to perform such services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor, subcontractor, public or private agency, or other entity or individual with whom VA has a contract or agreement to perform services under the contract or agreement. This routine use includes disclosures by an individual or entity performing services for VA to any secondary entity or individual to perform an activity that is necessary for individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to provide the Start Printed Page 6983service to VA. This routine use, which also applies to agreements that do not qualify as contracts defined by Federal procurement laws and regulations, is consistent with the Office of Management and Budget (OMB) guidance in OMB Circular A-130, App. I, paragraph 5a(1)(b) that agencies promulgate routine uses to address disclosure of Privacy Act-protected information to contractors in order to perform the services contracts for the agency.

5. VA may disclose information from this system to EEOC when requested in connection with investigations of alleged or possible discriminatory practices, examination of Federal affirmative employment programs, or other functions of the Commission as authorized by law or regulation. VA must be able to provide information to EEOC to assist it in fulfilling its duties to protect employees' rights, as required by statute and regulation.

6. VA may disclose information from this system to FLRA, including its General Counsel, information related to the establishment of jurisdiction, investigation, and resolution of allegations of unfair labor practices, or in connection with the resolution of exceptions to arbitration awards when a question of material fact is raised; for it to address matters properly before the Federal Services Impasses Panel, investigate representation petitions, and conduct or supervise representation elections. VA must be able to provide information to FLRA to comply with the statutory mandate under which it operates.

7. VA may disclose information from this system to the Merit Systems Protection Board, or the Office of the Special Counsel, when requested in connection with appeals, special studies of the civil service and other merit systems, review of rules and regulations, investigation of alleged or possible prohibited personnel practices, and such other functions promulgated in 5 U.S.C. 1205 and 1206, or as authorized by law. VA must be able to provide information to MSPB to assist it in fulfilling its duties as required by statute and regulation.

8. VA may disclose information from this system to NARA and GSA in records management inspections conducted under title 44, U.S.C. NARA is responsible for archiving old records which are no longer actively used but may be appropriate for preservation, and for the physical maintenance of the Federal government's records. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.

9. VA may disclose relevant information to: (1) A Federal agency or CC institutions and providers when VA refers a patient for hospital or nursing home care or medical services, or authorizes a patient to obtain non-VA medical services and the information is needed by the Federal agency or non-VA institution or provider to perform the services; or (2) a Federal agency or to a non-VA hospital (Federal, state, and local public or private) or other medical installation having hospital facilities, organ banks, blood banks, or similar institutions, medical schools or clinics, or other groups or individuals that have contracted or agreed to provide medical services or share the use of medical resources under the provisions of 38 U.S.C. 513, 7409, 8111, or 8153, when treatment is rendered by VA under the terms of such contract or agreement or the issuance of an authorization, and the information is needed for purposes of medical treatment and/or follow-up, determining entitlement to a benefit, or for VA to effect recovery of the costs of the medical care.

10. VA may disclose information in this system, to a Federal, state, or local agency maintaining civil or criminal violation records, or other pertinent information such as prior employment history, prior Federal employment background investigations, and/or personal or educational background in order for VA to obtain information relevant to the hiring, transfer or retention of an employee, the letting of a contract, the granting of a security clearance, or the issuance of a grant or other benefit.

11. VA may disclose information from this system of records to a Federal agency or the District of Columbia government, in response to its request, in connection with the hiring or retention of an employee and the issuance of a security clearance as required by law, the reporting of an investigation of an employee, the issuance of a license, grant, or other benefit by the requesting agency, to the extent that the information is relevant and necessary to the requesting agency's decision.

12. Any information in this system may be disclosed to a state or local agency, upon its official request, to the extent that it is relevant and necessary to that agency's decision on: The hiring, transfer or retention of an employee, the issuance of a security clearance, the letting of a contract, or the issuance or continuance of a license, grant or other benefit by the agency; provided, that the name and address is provided first by the requesting state or local agency.

13. VA may disclose information concerning CC institutions and providers, including name, address, and social security or employer's taxpayer identification numbers, may be disclosed to the Department of the Treasury, Internal Revenue Service, to report calendar year earnings of $600 or more for income tax reporting purposes.

14. VA may disclose information to the Department of the Treasury to facilitate payments to physicians, clinics, and pharmacies for reimbursement of services rendered, and to veterans for reimbursements of authorized expenses, or to collect, by set off or otherwise, debts owed the United States.

15. VA may disclose any relevant information from this system of records to attorneys, insurance companies, employers, third parties liable or potentially liable under health plan contracts, and to courts, boards, or commissions, but only to the extent necessary to aid VA in the preparation, presentation, and prosecution of claims authorized under federal, state, or local laws, and regulations promulgated thereunder.

16. VA may disclose identifying information in this system, including name, address, social security number, and other information as is reasonably necessary to identify such individual, to the National Practitioner Data Bank at the time of hiring and/or clinical privileging/re-privileging of health care practitioners, and other times as deemed necessary by VA, in order for VA to obtain information relevant to a Department decision concerning the hiring, privileging/re-privileging, retention, or termination of the applicant or employee.

17. VA may disclose relevant information from this system of records to the National Practitioner Data Bank and/or State Licensing Board in the state(s) in which a practitioner is licensed, in which the VA facility is located, and/or in which an act or omission occurred upon which a medical malpractice claim was based when VA reports information concerning: (1) Any payment for the benefit of a physician, dentist, or other licensed health care practitioner which was made as the result of a settlement or judgment of a claim of medical malpractice, if an appropriate determination is made in accordance with Department policy that payment was related to substandard care, professional incompetence, or professional misconduct on the part of the individual; (2) a final decision Start Printed Page 6984which relates to possible incompetence or improper professional conduct that adversely affects the clinical privileges of a physician or dentist for a period longer than 30 days; or (3) the acceptance of the surrender of clinical privileges or any restriction of such privileges by a physician or dentist, either while under investigation by the health care entity relating to possible incompetence or improper professional conduct, or in return for not conducting such an investigation or proceeding. These records may also be disclosed as part of a computer matching program to accomplish these purposes.

18. VA may disclose information from this system of records to a Federal agency or to a state or local government licensing board and/or to the Federation of State Medical Boards or a similar non-governmental entity which maintains records concerning individuals' employment histories or concerning the issuance, retention, or revocation of licenses, certifications, or registration necessary to practice an occupation, profession, or specialty, to inform a Federal agency or licensing boards or the appropriate non-governmental entities about the health care practices of a terminated, resigned, or retired health care employee whose professional health care activity so significantly failed to conform to generally accepted standards of professional medical practice as to raise reasonable concern for the health and safety of patients in the private sector or from another Federal agency. These records may also be disclosed as part of an ongoing computer matching program to accomplish these purposes.

19. For program review purposes and the seeking of accreditation and/or certification, VA may disclose health care information to survey teams of the Joint Commission, College of American Pathologists, American Association of Blood Banks, and similar national accreditation agencies or boards with which VA has a contract or agreement to conduct such reviews, but only to the extent that the information is necessary and relevant to the review.

20. VA may disclose information from this system to another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

21. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.

22. VA may disclose information in this system which is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal or regulatory in nature and whether arising by general or program statute or by regulation, rule or order issued pursuant thereto, to a Federal, state, local, tribal, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule or order. VA may also disclose the names and addresses of providers to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

PPMS is a repository hosted on the Microsoft Azure Government (MAG) Cloud for provider records which are received electronically from the CCNs. The CCNs collect the provider data, including the date of birth and tax identification number/social security number, directly from the provider and stores it in a mechanism outside of VA. The records are electronically transmitted from the CCN to VA using secure integrated web services where they are stored in PPMS behind the VA firewall.

A second source of provider data are the CC Managers, MSA, PSA, RN, and Social Workers (GEC) at a local VA facility, who have taken the PPMS training, communicate directly with non-VA care providers and set up the provider in PPMS so they may be used in referrals for Veteran care. They will enter the data, including the date of birth and tax identification number/social security number, into PPMS which is behind the VA firewall. The date of birth and tax identification number/social security number information is a field in PPMS and is an attribute of the providers' profile level of data.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

For users internal to VA, electronic records are retrieved via the PPMS Customer Relationship Management (CRM) Tool interface using the Provider's name or NPI number. Only approved VA employees whom are provisioned with PPMS access are authorized to access records. Records are retrieved by name, speciality, date of birth, tax identification number/social security number, or other assigned identifiers of the individuals on whom they are maintained.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Record Control Schedule (RCS) 10-1 item 1150 Office of Quality and Performance 1150.1. Health Care Provider Credentialing and Privileging Records. Electronic Files. Electronic version of information entered directly into the electronic credentialing and privileging record information system. Temporary; delete 30 years after the last episode of employment, appointment, contract, etc. from VA. (N1-015-10-07, Item 1)

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

1. PPMS is a customized Microsoft Dynamics 365 solution deployed on a FedRAMP Accredited Microsoft Dynamics CRM Online for Government (CRMOL) Cloud Platform. Microsoft Dynamics 365 includes several security features that provide PPMS administrators with the ability to implement a variety of administrative and technical safeguards which include:

—Account management using Microsoft Active Directory to centrally manage user accounts

—User authorization through two-factor, single sign-on, authentication

—Access control using role-based access control

—Data protection through encrypting of data-at-rest

—Auditing of user access and changes to PPMS data

Additional physical security safeguards are also implemented within the Microsoft Azure Data Center on which PPMS is deployed. Microsoft Azure maintains overall responsibility for the oversight of data center operations including physical security, site services (server deployments and break/fix work), infrastructure build-out, critical environment operations and maintenance, and facilities management. Data Center site security officers monitor the physical security of the facility 24 x 7.

2. The PPMS system is hosted in MAG Cloud infrastructure as a service cloud-computing environment that has been authorized at the high-impact level under the Federal Risk and Authorization Management Program (FedRAMP). The secure site-to-site Start Printed Page 6985encrypted network connection is limited to access via the VA Trusted internet Connection.

3. Access to PPMS is provisioned by a Service Now ticket routed to the PPMS Operations & Maintenance (O&M) team who grants access based on proven PPMS training completion by the individual requesting access. Access is monitored by O&M on a weekly basis due to limited number of licenses purchased for the CRM product.

RECORD ACCESS PROCEDURES:

An individual who seeks access to records maintained under his or her name in this system may submit a written request to VHA Office of Community Care, (Privacy Office) P.O. Box 469060, Denver, Colorado 80246-9060, or apply in person to the VHA Office of Community Care, 3773 Cherry Creek North Drive, Suite 470, Denver, Colorado 80209.

CONTESTING RECORD PROCEDURES:

(See Record Access Procedures above.)

NOTIFICATION PROCEDURES:

Any individual who wishes to determine whether a record is being maintained in this system under his or her name or other personal identifier, or wants to determine the contents of such record, should submit a written request to VHA Office of Community Care, (Privacy Office), P.O. Box 469060, Denver, Colorado 80246-9060, or apply in person to the VHA Office of Community Care, 3773 Cherry Creek North Drive, Suite 470, Denver, Colorado 80209.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

None.