2023-24193. Privacy Act of 1974; System of Records  

  • Start Preamble

    AGENCY:

    Veterans Health Administration (VHA), Department of Veterans Affairs (VA).

    ACTION:

    Notice of a modified system of records.

    SUMMARY:

    Pursuant to the Privacy Act of 1974, notice is hereby given that the VA is modifying the system of records titled, “Administrative Data Repository–VA” (150VA19). This system is used as the source for the information necessary to uniquely identify a person across the Veterans Health Administration (VHA), act as a record locator system for person records across the Administration, master the identity data and synchronize updates and changes to all the systems that know that person.

    DATES:

    Comments on this modified system of records must be received no later than 30 days after date of publication in the Federal Register . If no public comment is received during the period allowed for comment or unless otherwise published in the Federal Register by VA, the modified system of records will become effective a minimum of 30 days after date of publication in the Federal Register . If VA receives public comments, VA shall review the comments to determine whether any changes to the notice are necessary.

    ADDRESSES:

    Comments may be submitted through www.regulations.gov or mailed to VA Privacy Service, 810 Vermont Avenue NW, (005X6F), Washington, DC 20420. Comments should indicate that they are submitted in response to “Administrative Data Repository–VA” (150VA19). Comments received will be available at regulations.gov for public viewing, inspection or copies.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Stephania Griffin, VHA Chief Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420; Stephania.Griffin@va.gov, telephone number 704–245–2492 (Note: this is not a toll-free number).

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    VA is amending the system of records by revising the System Name; System Number; System Location; System Manager; Purpose; Categories of Individuals Covered by the System; Categories of Records in the System; Record Source Categories; Routine Uses of Records Maintained in the System; Policies and Practices for Storage of Records; Policies and Practices for Retention and Disposal of Records; Record Access Procedure; Contesting Records Procedures; Notification Procedure; and Administrative, Technical and Physical Safeguards. VA is republishing the system notice in its entirety.

    The System Name is being updated from “Administrative Data Repository–VA” to “Enterprise Identity and Demographics Records–VA”.

    The System Number will be changed from 150VA19 to 150VA10 to reflect the current VHA organizational routing symbol.

    The System Location has been updated to replace Austin Automation Start Printed Page 75388 Center with Austin Information Technology Center (AITC). The section will include that records are also hosted in a Federal Information Security Management Act (FISMA)—high VA Enterprise Cloud (VAEC). At the Enterprise Level this information is stored and maintained within the VA Master Person Index (VA MPI), which is defined as the authoritative data source for this information. The section was also amended to remove the statement, “Information from these records or copies of records may be maintained at the Department of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC, VA Data Processing Centers, VA CIO Field Offices, Veterans Integrated Service Network.”

    The System Manager is being updated to remove “Chief Information Officer” and replace “Director National Data Systems” with “Director Data Quality vha105highealthinfogovdqleadership@va.gov, Enterprise Help Desk 855–673–4357.”

    The Purpose has been amended to remove that the following: “records are used to establish person identity throughout only the VHA enterprise” and has been expanded to the VA enterprise. The purpose of the system of records is to provide a repository for the administrative information that is used to accomplish the purposes described within this document including determining Veteran benefits and eligibility. The records include information provided by patients, providers, employees, volunteers, trainees, contractors and others that receive IT access to our computer systems and information obtained during routine work, including VHA patient care. Quality assurance information that is protected by 38 U.S.C. 7311 and 38 CFR 17.500–17.511 is not within the scope of the Privacy Act and, therefore, is not included in this system of records or filed in a manner in which the information may be retrieved by reference to an individual identifier.”

    The Purpose section will now reflect the following language: “The purpose of these records is to serve as the source for the information necessary to uniquely identify a person across Veterans Health Administration, act as a record locator system for person records across the Administration, master the identity data and synchronize updates and changes to all the systems that know that person. The data may be used for VA's extensive research programs in accordance with VA policy. The data is used to identify and provide benefits for all persons of interest to VA and to establish the Integration Control Number (ICN) as VA's unique enterprise identifier. The information will also be used to identify the VA MPI as authoritative for this data and defines the mastering and synchronizing of this data with integrated partners. The VA MPI also provides authoritative data for the identity of Veterans and beneficiaries; current and former patients; Veterans Health Administration (VHA), Veterans Benefits Administration (VBA) and National Cemetery Administration (NCA) beneficiaries; employees; providers; volunteers; trainees; contractors; and individuals working collaboratively with VA. These identity management services are used across the enterprise and with external sharing partners.”

    The Categories of Individuals Covered by this System is being amended to include caregivers; patients; current and former VHA, VBA, and NCA beneficiaries. Also included are individuals examined or treated under contract or resource sharing agreements; individuals who have applied for 38 U.S.C. ch. 1 benefits, but do not meet the requirements under 38 U.S.C. ch. 1 to receive such benefits; individuals who were provided medical care under emergency conditions for humanitarian reasons and pensioned members of allied forces provided healthcare services under 38 U.S.C. ch. 1.

    The Categories of Records in the System is being amended to replace “1. Administrative assignments or categorization of duties of certain VHA personnel” with “1. Information used to establish unique enterprise identifiers, VA ICNs and all associated system identifiers and related metadata. This information is used to create a unique identifier for all persons of interest to VA and all other systems that have integrated with the VA MPI.”

    The following text within Categories of Records in the System will be removed: “2. education and continuing education ( e.g., name and address of schools and dates of attendance, courses attended and scheduled to attend, grades, type of degree, certificate, etc.); information related to military service and status; qualifications for employment ( e.g., license, degree, registration or certification, experience); Veteran enrollment and eligibility information including financial assessments.” This will now be replaced with “2. Identity information such as name, date of birth, birth sex, administrative sex, self-identified gender identity, pronoun, preferred name, Social Security Number, taxpayer identification number, date of death). Other demographic information such as home and/or mailing address, home telephone number, emergency contact information such as name, address, telephone number and relationship; and associated audit and necessary metadata.”

    Additionally, being removed from this section is: “3. Electronic messages used for network communication between VHA systems.”

    Record Source Categories is being updated to remove: “Information in this system of records is provided by patients, employees, providers, IT users, and others that work collaboratively with VHA.” This section will now reflect the following language: “Information in this system of records is provided by Veterans, VA employees, VA Health Eligibility Center, VHA Program Offices, VA medical facilities, VISNs and the following Systems Of Records: Veterans Health Information Systems and Technology Architecture (VistA) Records–VA (79VA10), Veterans Affairs Profile–VA (VA Profile) (192VA30) and any associated system of records that is utilizing VA MPI identity management services.”

    The following routine uses have been added:

    12. Federal Agencies, for Research: To a Federal agency to conduct research and data analysis to perform a statutory purpose of that Federal agency upon the prior written request of that agency, provided that there is legal authority under all applicable confidentiality statutes and regulations to provide the data and the VHA Office of Informatics has determined prior to the disclosure that VHA data handling requirements are satisfied.

    13. Housing and Urban Development (HUD): To HUD for the purpose of reducing homelessness among Veterans by implementing the Federal strategic plan to prevent and end homelessness as well as by evaluating and monitoring the HUD Veterans Affairs Supported Housing program.

    14. Federal Agencies, for Computer Matches: To other Federal agencies for the purpose of conducting computer matches to obtain information to determine or verify eligibility of veterans receiving VA benefits or medical care under title 38.

    15. Non-VA Health Care Providers, for Treatment: To a non-VA healthcare provider, such as the Department Health and Human Services, for the purpose of treating any VA patient, including Veterans.

    16. Governmental Agencies, Health Organizations, for Claimants' Benefits: To Federal, State and local government agencies and national health organizations as reasonably necessary to Start Printed Page 75389 assist in the development of programs that will be beneficial to claimants, to protect their rights under law, and ensure they are receiving all benefits to which they are entitled.

    17. Law Enforcement, for Locating Fugitive: To any Federal, State, local, Territorial, Tribal, or foreign law enforcement agency in order to identify, locate, or report a known fugitive felon, in compliance with 38 U.S.C. 5313B(d).

    18. Business Partners, for Collaborative Efforts: To individuals or entities with whom VA has a written agreement or arrangement to perform such services as VA may deem practical for the purpose of laws administered by VA or for identifying and correlating patients.

    19. Data Breach Response and Remediation, for VA: To appropriate agencies, entities and persons when (1) VA suspects or has confirmed that there has been a breach of the system of records; (2) VA has determined that as a result of the suspected or confirmed breach there is a risk to individuals, VA (including its information systems, programs and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities or persons reasonably necessary to assist in connection with VA efforts to respond to the suspected or confirmed breach or to prevent, minimize or remedy such harm.

    Policies and Practices for Storage of Records is being updated to replace “Records are maintained at the Corporate Franchise Data Center which is a VA operated facility. Information is stored on disk media.” with “Records are stored electronically.”

    Policies and Practices for Retrieval of Records is being updated to include date of birth and ICN.

    Policies and Practices for Retention and Disposal of Records is being modified to include: “The records are maintained and disposed of in accordance with the schedule approved by the Archivist of the United States, General Records Schedule 4, item 2.”

    Administrative, Technical and Physical Safeguards are being updated to include: “4. The system is hosted in Amazon Web Services Government Cloud infrastructure as a service cloud computing environment that has been authorized at the high-impact level under the Federal Risk and Authorization Management Program. The secure site-to-site encrypted network connection is limited to access via the VA trusted internet connection.”

    Record Access Procedure is being updated to reflect the following language: “Individuals seeking information on the existence and content of records in this system pertaining to them should contact the system manager in writing as indicated above, or write, call or visit the VA facility location where they normally receive their care. A request for access to records must contain the requester's full name, address, telephone number, be signed by the requester, and describe the records sought in sufficient detail to enable VA personnel to locate them with a reasonable amount of effort.”

    Contesting Records Procedures is being updated to reflect the following language: “Individuals seeking to contest or amend records in this system pertaining to them should contact the system manager in writing as indicated above, or write or visit the VA facility location where they normally receive their care. A request to contest or amend records must state clearly and concisely what record is being contested, the reasons for contesting it, and the proposed amendment to the record.”

    Notification Procedure is being updated to state: “Generalized notice is provided by the publication of this notice. For specific notice, see Record Access Procedure, above.”

    The Report of Intent to Amend a System of Records Notice and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of the Office of Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

    Signing Authority

    The Senior Agency Official for Privacy, or designee, approved this document and authorized the undersigned to sign and submit the document to the Office of the Federal Register for publication electronically as an official document of the Department of Veterans Affairs. Kurt D. DelBene, Assistant Secretary for Information and Technology and Chief Information Officer, approved this document on September 27, 2023 for publication.

    Start Signature

    Dated: October 30, 2023.

    Amy L. Rose,

    Government Information Specialist, VA Privacy Service, Office of Compliance, Risk and Remediation, Office of Information and Technology, Department of Veterans Affairs.

    End Signature

    SYSTEM NAME AND NUMBER:

    “Enterprise Identity and Demographics Records–VA” (150VA10).

    SECURITY CLASSIFICATION:

    Unclassified.

    SYSTEM LOCATION:

    Records are hosted in a containerized environment at a federally rated Federal Information Security Management Act (FISMA)-high data center in the Department of Veterans Affairs (VA) Austin Information Technology Center (AITC) at 1615 Woodward Street, Austin, Texas 78772. Records are also hosted in a FISMA-high VA Enterprise Cloud (VAEC). At the Enterprise Level this information is stored and maintained within the VA Master Person Index (VA MPI) which is defined as the authoritative data source for this information.

    SYSTEM MANAGER(S):

    Director Data Quality, vha105highealthinfogovdqleadership@va.gov or the Enterprise Help Desk at 855–673–4357, Corporate Franchise Center, 1615 Woodward Street, Austin, Texas 78772.

    AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

    38 U.S.C. 501 and 7304.

    PURPOSE(S) OF THE SYSTEM:

    The purpose of these records is to serve as the source for the information necessary to: uniquely identify a person across the Veterans Health Administration (VHA), act as a record locator system for person records across the Administration, master the identity data and synchronize updates and changes to all the systems that know that person. The data may be used for VA's extensive research programs in accordance with VA policy. The data is used to identify and provide benefits for all persons of interest to VA and to establish the Integration Control Number (ICN) as VA's unique enterprise identifier. The information is also used to identify the VA MPI as authoritative for this data and defines the mastering and synchronizing of this data with integrated partners. The VA MPI also provides authoritative data for the identity of Veterans and beneficiaries; current and former patients; Veterans Health Administration (VHA), Veterans Benefits Administration (VBA) and National Cemetery Administration (NCA) beneficiaries; employees; providers; volunteers; trainees; contractors; and individuals working collaboratively with VA. These identity management services are used across the enterprise and with external sharing partners.

    CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

    The records include information on caregivers; patients; current and former VHA, VBA, and NCA beneficiaries; Start Printed Page 75390 employees; providers; volunteers; trainees; contractors; as well as individuals working collaboratively with VHA. Also included are individuals examined or treated under contract or resource sharing agreements; individuals who have applied for 38 U.S.C. ch. 1 benefits, but who do not meet the requirements under 38 U.S.C. ch. 1 to receive such benefits; individuals who were provided medical care under emergency conditions for humanitarian reasons; and pensioned members of allied forces provided healthcare services under 38 U.S.C ch. 1.

    CATEGORIES OF RECORDS IN THE SYSTEM:

    The records include information related to:

    1. Information used to establish and maintain unique enterprise identifiers for VA ICNs and all associated system identifiers and related metadata. This information is used to create a unique identifier of all persons of interest to VA and all other systems that have correlated to the VA MPI.

    2. Identity information such as name, date of birth, birth sex, administrative sex, self-identified gender identity, pronoun, preferred name, Social Security Number, taxpayer identification number, date of death. Other demographic information such as home and/or mailing address; home telephone number; emergency contact information such as name, address, telephone number, and relationship; and associated audit and necessary metadata.

    3. Healthcare providers' Social Security Number and National Provider Identifier.

    RECORD SOURCE CATEGORIES:

    Information in this system of records is provided by Veterans, VA employees, VA Health Eligibility Center, VHA Program Offices, VA medical facilities, VISNs, VBA, NCA and the following systems of records: Veterans Health Information Systems and Technology Architecture (VistA) Records–VA (79VA10), Veterans Affairs Profile–VA (VA Profile) (192VA30), and any associated system of record notices that is utilizing VA MPI identity management services.

    ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

    1. Congress: To a Member of Congress or staff acting upon the Member's behalf when the Member or staff requests the information on behalf of, and at the request of, the individual who is the subject of the record.

    2. National Archives and Records Administration (NARA): To NARA in records management inspections conducted under 44 U.S.C. 2904 and 2906, or other functions authorized by laws and policies governing NARA operations and VA records management responsibilities.

    3. Disclosure may be made to other Government agencies in support of data exchanges of electronic medical record information approved by the individual.

    4. Law Enforcement: To a Federal, State, local, Territorial, Tribal or foreign law enforcement authority or other appropriate entity charged with the responsibility of investigating or prosecuting a violation or potential violation of law, whether civil, criminal, or regulatory in nature, or charged with enforcing or implementing such law, provided that the disclosure is limited to information that, either alone or in conjunction with other information, indicates such a violation or potential violation. The disclosure of the names and addresses of Veterans and their dependents from VA records under this routine use must also comply with the provisions of 38 U.S.C. 5701.

    5. Department of Justice (DoJ), Litigation, Administrative Proceeding: To DoJ, or in a proceeding before a court, adjudicative body, or other administrative body before which VA is authorized to appear, when:

    (a) VA or any component thereof;

    (b) Any VA employee in their official capacity;

    (c) Any VA employee in their individual capacity where DoJ has agreed to represent the employee; or

    (d) The United States, where VA determines that litigation is likely to affect the agency or any of its components is a party to such proceedings or has an interest in such proceedings, and VA determines that use of such records is relevant and necessary to the proceedings.

    6. Contractors: To contractors, grantees, experts, consultants, students and others performing or working on a contract, service, grant, cooperative agreement or other assignment for VA, when reasonably necessary to accomplish an agency function related to the records.

    7. Federal Agencies, Fraud and Abuse: To other Federal agencies to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.

    8. Equal Employment Opportunity Commission (EEOC): To the EEOC in connection with investigations of alleged or possible discriminatory practices, examination of Federal affirmative employment programs or other functions of the Commission as authorized by law.

    9. Federal Labor Relations Authority (FLRA): To the FLRA in connection with the investigation and resolution of allegations of unfair labor practices, the resolution of exceptions to arbitration awards when a question of material fact is raised; matters before the Federal Service Impasses Panel; and the investigation of representation petitions and the conduct or supervision of representation elections.

    10. Merit Systems Protection Board (MSPB): To the MSPB in connection with appeals, special studies of the civil service and other merit systems, review of rules and regulations, investigation of alleged or possible prohibited personnel practices and such other functions promulgated in 5 U.S.C. 1205 and 1206, or as authorized by law.

    11. Data Breach Response and Remediation, for Another Federal Agency: To another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

    12. Federal Agencies, for Research: VA may disclose information to a Federal agency for the conduct of research and data analysis to perform a statutory purpose of that Federal agency upon the prior written request of that agency, provided that there is legal authority under all applicable confidentiality statutes and regulations to provide the data and the VHA Office of Informatics has determined prior to the disclosure that VHA data handling requirements are satisfied.

    13. Housing and Urban Development (HUD): To HUD for the purpose of reducing homelessness among Veterans by implementing the Federal strategic plan to prevent and end homelessness as well as by evaluating and monitoring the HUD Veterans Affairs Supported Housing program.

    14. Federal Agencies, for Computer Matches: To other Federal agencies for the purpose of conducting computer matches to obtain information to determine or verify eligibility of veterans receiving VA benefits or medical care under title 38.

    15. Non-VA Health Care Providers, for Treatment: To a non-VA healthcare Start Printed Page 75391 provider, such as the Department Health and Human Services, for the purpose of treating any VA patient, including Veterans.

    16. Governmental Agencies, Health Organizations, for Claimants' Benefits: To Federal, State and local government agencies and national health organizations as reasonably necessary to assist in the development of programs that will be beneficial to claimants, to protect their rights under law, and ensure they are receiving all benefits to which they are entitled.

    17. Law Enforcement, for Locating Fugitive: To any Federal, State, local, Territorial, Tribal, or foreign law enforcement agency in order to identify, locate, or report a known fugitive felon, in compliance with 38 U.S.C. 5313B(d).

    18. Business Partners, for Collaborative Efforts: To individuals or entities with whom VA has a written agreement or arrangement to perform such services as VA may deem practical for the purpose of laws administered by VA or for identifying and correlating patients.

    19. Data Breach Response and Remediation, for VA: To appropriate agencies, entities and persons when (1) VA suspects or has confirmed that there has been a breach of the system of records; (2) VA has determined that as a result of the suspected or confirmed breach there is a risk to individuals, VA (including its information systems, programs and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities or persons reasonably necessary to assist in connection with VA efforts to respond to the suspected or confirmed breach or to prevent, minimize or remedy such harm.

    POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

    Records in this system are stored electronically.

    POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

    Records are retrieved by identifiers such as full name, Social Security Number, date of birth, ICN and other assigned unique identifiers of the individuals on whom they are maintained.

    POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

    The records are maintained and disposed of in accordance with the schedule approved by the Archivist of the United States, General Records Schedule 4, item 2.

    ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

    1. Access to VA working and storage areas is restricted to VA employees on a “need-to-know” basis; strict control measures are enforced to ensure that disclosure to these individuals is also based on this same principle. Generally, VA file areas are locked after normal duty hours and the facilities are protected from outside access by the Federal Protective Service or other security personnel.

    2. Access to file information is controlled at two levels: the systems recognize authorized employees by a series of individually unique passwords/codes as a part of each data message, and the employees are limited to only that information in the file which is needed in the performance of their official duties. Information that is downloaded from this system and maintained on personal computers is afforded similar storage and access protections as the data that is maintained in the original files. Access to information stored on automated storage media at other VA locations is controlled by individually unique passwords/codes.

    3. Access to the AITC is generally restricted to center employees, custodial personnel, Federal Protective Service and other security personnel. Access to computer rooms is restricted to authorized operational personnel through electronic locking devices. All other persons gaining access to computer rooms are escorted. Information stored in the computer may be accessed by authorized VA employees at remote locations including VA healthcare facilities, Information Systems Centers, VA Central Office and Veteran Integrated Service Networks. Access is controlled by individually unique passwords/codes which must be changed periodically by the employee.

    4. The system is hosted in Amazon Web Services Government Cloud infrastructure as a service cloud computing environment that has been authorized at the high-impact level under the Federal Risk and Authorization Management Program. The secure site-to-site encrypted network connection is limited to access via the VA trusted internet connection.

    RECORD ACCESS PROCEDURES:

    Individuals seeking information on the existence and content of records in this system pertaining to them should contact the system manager in writing as indicated above, or write, call or visit the VA facility location where they are or were employed or made contact. A request for access to records must contain the requester's full name, address, telephone number, be signed by the requester, and describe the records sought in sufficient detail to enable VA personnel to locate them with a reasonable amount of effort.

    CONTESTING RECORD PROCEDURES:

    Individuals seeking to contest or amend records in this system pertaining to them should contact the system manager in writing as indicated above, or write, call or visit the VA facility location where they are or were employed or made contact. A request to contest or amend records must state clearly and concisely what record is being contested, the reasons for contesting it, and the proposed amendment to the record.

    NOTIFICATION PROCEDURES:

    Generalized notice is provided by the publication of this notice. For specific notice, see Record Access Procedure, above.

    EXEMPTIONS PROMULGATED FOR THE SYSTEM:

    None

    HISTORY:

    73 FR 72117 (November 26, 2008)

    End Supplemental Information

    [FR Doc. 2023–24193 Filed 11–1–23; 8:45 am]

    BILLING CODE P