AGENCY:

Department of Veterans Affairs (VA).

ACTION:

Notice of a New System of Records.

SUMMARY:

The Privacy Act of 1974 (5 U.S.C. 552(e) (4)) requires all agencies publish in the Federal Register a notice of the existence and character of their systems of records. Notice is hereby given that the Department of Veterans Affairs (VA) is establishing a new system of records titled “VA Mobile Application Environment (MAE)-VA” (173VA005OP2).

DATES:

Comments on this new system of records must be received no later than December 6, 2013. If no public comment is received during the period allowed for comment or unless otherwise published in the Federal Register by VA, the new system will become effective December 6, 2013.

ADDRESSES:

Written comments concerning the proposed amended system of records may be submitted by: Mail or hand-delivery to Director, Regulations Management (02REG), Department of Veterans Affairs, 810 Vermont Avenue NW, Room 1068, Washington, DC 20420; fax to (202) 273-9026; or email to http://www.Regulations.gov. All comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8:00 a.m. and 4:30 p.m., Monday through Friday (except holidays). Please call (202) 461-4902 for an appointment. (This is not a toll-free number.)

FOR FURTHER INFORMATION CONTACT:

Veterans Health Administration (VHA) Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue NW., Washington, DC 20420 or by telephone at (704) 245-2492.

SUPPLEMENTARY INFORMATION:

Start Printed Page 66807

I. Description of Proposed Systems of Records

The MAE contains the core set of records to be used to support VA efforts to expand its technology into the mobile and Web-based application domain as well as facilitate utilization of applications and systems directly by patients and VA customers. The proposed system of records contains information on Veterans, Veteran beneficiaries, Veteran caregivers, members of the Armed Forces, and other VA customers in addition to VA-authorized users. VA-authorized users are VA employees, VA contractors, VA volunteers, and other individuals with permission to access VA Information Technology (IT) systems. These data are stored in VA resources, accessible to authorized users through applications utilizing services available in VA's MAE middle tier service layer (the VA Health Adapter). These records will be used in the provision of health care and benefits by VA. The records contain information that will be directly updated by Veterans, Veteran beneficiaries, Veteran caregivers, members of the Armed Forces, Reserves and National Guard, other VA customers, and VA-authorized users, such as demographics (e.g., name, social security number, physical address, phone number, email address), health-related information (e.g., vital signs, allergies, medications, health-related history, health assessments), benefits-related information, information provided to VA for the potential provision of services and benefits, military history and service, preferences for authorizing the sharing of their health information (e.g., electronic surrogate authorizations, electronic surrogate revocations). The records may include identifiers such as VA's integration control number. The records include information provided by Veterans and their beneficiaries or caregivers, members of the Armed Forces, Reserves or National Guard, VA employees, other VA-authorized users (e.g., Department of Defense), and information from VA computer systems and databases including, but not limited to, Veterans Health Information Systems and Technology Architecture (VistA)-VA (79VA10P2), National Patient Databases-VA (121VA10P2), VA Medical Centers (VAMC), Federal and non-Federal Veterans Lifetime Electronic Records (VLER)/eHealth Exchange partners, and the Department of Defense (DoD).

The purpose of the system of records is to provide a repository for the clinical and administrative information that is collected, retrieved, or displayed from within a VA mobile or Web application. The purpose of use will include, but not be limited to: Health care treatment information, disability adjudication, and benefits to the Veteran both within the VAMC and in sharing with partners who are participating through the eHealth Exchange in VA's Mobile pilots and subsequent public and enterprise roll-out of new applications. Data may also be used at an aggregate, non-personally identifiable level to track and evaluate local or national health and benefits initiatives and preventative-care measures, such as detecting outbreaks of flu or other diseases, detection of antibiotic resistance bacteria, etc. The data may be used for such purposes as scheduling patient treatment services, including nursing care, clinic appointments, surveys, diagnostic and therapeutic procedures. The data may also be used for the purpose of health care operations such as: Producing various management and patient follow-up reports; responding to patients and other inquiries for epidemiological research and other health care-related studies, statistical analysis, resource allocation and planning; providing clinical and administrative support to patient medical care; determining entitlement and eligibility for VA benefits; processing and adjudicating benefit claims by Veterans Benefits Administration Regional Office (VARO) staff, for audits, reviews, and investigations conducted by staff of VA Central Office, and VA's Office of Inspector General (OIG); sharing of health information between and among VHA, DoD, Indian Health Services (IHS), and other Government and private industry health care organizations; law enforcement investigations; quality assurance audits, reviews, and investigations; personnel management and evaluation; employee ratings and performance evaluations; and employee disciplinary or other adverse action, including discharge; advising health care professional licensing or monitoring bodies or similar entities of activities of VA and former VA health care personnel.

II. Proposed Routine Use Disclosures of Data in the System

To the extent that records contained in the system include information protected by 38 United States Code (U.S.C.) 7332 (e.g., medical treatment information related to drug abuse, alcoholism or alcohol abuse, sickle cell anemia or infection with the human immunodeficiency virus). That information cannot be disclosed under a routine use unless there is also specific statutory authority permitting disclosure.

VHA is proposing the following routine use disclosures of information to be maintained in the system:

1. On its own initiative, VA may disclose information, except for the names and home addresses of Veterans and their dependents, to a Federal, state, local, tribal, or foreign agency charged with the responsibility of investigating or prosecuting civil, criminal, or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule, or order issued pursuant thereto. On its own initiative, VA may also disclose the names and addresses of Veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal, or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule, or order issued pursuant thereto. VA must be able to comply with the requirements of agencies charged with enforcing the law and conducting investigations. VA must also be able to provide information to state or local agencies charged with protecting the public's health as set forth in state law.

2. Disclosure may be made to any source from which additional information is requested (to the extent necessary to identify the individual, inform the source of the purpose(s) of the request, and to identify the type of information requested), when necessary to obtain information relevant to an individual's eligibility, care history, or other benefits.

3. Disclosure may be made to an agency in the executive, legislative, or judicial branch, or the District of Columbia's government in response to its request or at the initiation of VA, in connection with disease tracking, patient outcomes, or other health information required for program accountability.

4. The record of an individual who is covered by a system of records may be disclosed to a Member of Congress or a staff person acting for the Member, when the Member or staff person requests the record on behalf of and at the written request of the individual. Individuals sometimes request the help of a Member of Congress in resolving some issues relating to a matter before VA. The Member of Congress then writes to VA, and VA must be able to give sufficient information to give response to the inquiry.

5. Disclosure may be made to the National Archives and Records Administration (NARA) and the General Services Administration (GSA) in Start Printed Page 66808records management inspections conducted under authority of Title 44, Chapter 29, of the United States Code. NARA and GSA are responsible for the management of old records no longer actively used, but which may be appropriate for preservation, and for the physical maintenance of the Federal Government's records. VA must be able to provide the records to NARA and GSA in order to determine the proper disposition of such records.

6. VA may disclose information from this system of records to the Department of Justice (DOJ), either on VA's initiative or in response to DOJ's request for the information, after either VA or DOJ determines that such information is relevant to DOJ's representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that release of the records to DOJ is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records.

7. Records from this system of records may be disclosed to inform a Federal agency, licensing boards, or the appropriate non-Government entities about the health care practices of a terminated, resigned, or retired health care employee whose professional health care activity so significantly failed to conform to generally accepted standards of professional medical practice as to raise reasonable concern for the health and safety of patients receiving medical care in the private sector or from another Federal agency.

8. Disclosure may be made to a national certifying body which has the authority to make decisions concerning the issuance, retention, or revocation of licenses, certifications or registrations required to practice a health care profession, when requested in writing by an investigator or supervisory official of the national certifying body for the purpose of making a decision concerning the issuance, retention, or revocation of the license, certification, or registration of a named health care professional. VA must be able to report information regarding the care a health care practitioner provides to a national certifying body charged with maintaining the health and safety of patients by making a decision about a health care professional's license, certification, or registration, such as issuance, retention, revocation, or other actions such as suspension.

9. Disclosure may be made to officials of labor organizations recognized under 5 U.S.C. Chapter 71, when relevant and necessary to their duties of exclusive representation concerning personnel policies, practices, and matters affecting working conditions.

10. Disclosure may be made to the VA-appointed representative of an employee all notices, determinations, decisions, or other written communications issued to the employee in connection with an examination ordered by VA under medical evaluation (formerly fitness-for-duty) examination procedures or Department-filed disability retirement procedures.

11. VA may disclose information to officials of the Merit Systems Protection Board (MSPB) or the Office of Special Counsel (OSC), when requested in connection with appeals, special studies of the civil service and other merit systems, review of rules and regulations, investigation of alleged or possible prohibited personnel practices, and such other functions, promulgated in 5 U.S.C. 1205 and 1206, or as authorized by law.

12. VA may disclose information to the Equal Employment Opportunity Commission (EEOC) when requested in connection with investigations of alleged or possible discriminatory practices, examination of Federal affirmative employment programs, or for other functions of the Commission as authorized by law or regulation. VA must be able to provide information to the Commission to assist it in fulfilling its duties to protect employees' rights, as required by statute and regulation.

13. VA may disclose to the Fair Labor Relations Authority (FLRA) (including its General Counsel) information related to the establishment of jurisdiction, the investigation and resolution of allegations of unfair labor practices, or information in connection with the resolution of exceptions to arbitration awards when a question of material fact is raised; to disclose information in matters properly before the Federal Services Impasse Panel (FSIP) and to investigate representation petitions and conduct or supervise representation elections. VA must be able to provide information to FLRA to comply with the statutory mandate under which it operates.

14. Disclosure of medical record data, excluding name and address, unless name and address are furnished by the requester, may be made to epidemiological and other research facilities for research purposes determined to be necessary and proper when approved in accordance with VA policy.

15. Disclosure of names and addresses of present or former personnel of the Armed Forces and/or their dependents, may be made to: (a) A Federal department or agency, at the written request of the head or designee of that agency; or (b) directly to a contractor or subcontractor of a Federal department or agency, for the purpose of conducting Federal research necessary to accomplish a statutory purpose of an agency. When disclosure of this information is made directly to a contractor, VA may impose applicable conditions on the department, agency, and/or contractor to ensure the appropriateness of the disclosure to the contractor.

16. Disclosures of relevant information may be made to individuals, organizations, private or public agencies, or other entities with whom VA has a contract or agreement or where there is a subcontract to perform the services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor or subcontractor to perform the services of the contract or agreement. This routine use includes disclosures by the individual or entity performing the service for VA to any secondary entity or individual to perform an activity that is necessary for individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to provide the service to VA.

17. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.

18. VA may, on its own initiative, disclose any information or records to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that the integrity or confidentiality of information in the system of records has been compromised; (2) the Department has determined that, as a result of the suspected or confirmed compromise, there is a risk of embarrassment or harm to the reputations of the record subjects, harm to economic or property interests, identity theft or fraud, or harm to the security, confidentiality, or integrity of this system or other systems or programs (whether maintained by the Department or another agency), or disclosure is to agencies, entities, or persons whom VA determines are Start Printed Page 66809reasonably necessary to assist or carry out the Department's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. This routine use permits disclosures by the Department to respond to a suspected or confirmed data breach, including the conduct of any risk analysis or provision of credit protection services as provided in 38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727.

19. VA may disclose any information to another covered entity that is a Government agency administering a Government program providing public benefits if the programs serve the same or similar populations as VA, and the disclosure of information is necessary to coordinate the functions of such programs or to improve administration and management relating to the functions of such programs.

20. VA may disclose health care information to a non-VA health care provider, such as private health care providers or hospitals, DoD, or IHS providers, for the purpose of treating VA patients. To better facilitate medical care and treatment for Veterans, VA must be prepared to share health information between VHA, DoD, IHS, and other government health care organizations.

21. VA may disclose information to a former VA employee or contractor, as well as the authorized representative of a current or former employee or contractor of VA, in pending or reasonably anticipated litigation against the individual regarding health care provided during the period of his or her employment or contract with VA.

III. Compatibility of the Proposed Routine Uses

The Privacy Act permits VA to disclose information about individuals without their consent for a routine use when the information will be used for a purpose that is compatible with the purpose for which VA collected the information. In all of the routine use disclosures described above, either the recipient of the information will use the information in connection with a matter relating to one of VA's programs, to provide a benefit to the VA, or to disclose information as required by law.

Under section 264, Subtitle F of Title II of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Public Law 104-191, 100 Stat. 1936, 2033-34 (1996), the United States Department of Health and Human Services (HHS) published a final rule, as amended, establishing Standards for Privacy of Individually-Identifiable Health Information, 45 CFR Parts 160 and 164. VHA may not disclose individually identifiable health information (as defined in HIPAA and the Privacy Rule, 42 U.S.C. 1320(d)(6) and 45 CFR 164.501) pursuant to a routine use unless either: (a) the disclosure is required by law, or (b) the disclosure is also permitted or required by HHS' Privacy Rule. The disclosures of individually-identifiable health information contemplated in the routine uses published in this amended system of records notice are permitted under the Privacy Rule or required by law. However, to also have authority to make such disclosures under the Privacy Act, VA must publish these routine uses. Consequently, VA is publishing these routine uses and is adding a preliminary paragraph to the routine uses portion of the system of records notice stating that any disclosure pursuant to the routine uses in this system of records notice must be either required by law or permitted by the Privacy Rule, before VHA may disclose the covered information.

The notice of intent to publish and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director, Office of Management and Budget (OMB), as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

173VA005OP2

SYSTEM NAME:

VA Mobile Application Environment (MAE)-VA

SYSTEM LOCATION:

Records are maintained at VA Contracted Service Provider, Terremark, at 18155 Technology Drive, Culpeper, VA 22701-3805.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The records contain information on Veterans, Veteran beneficiaries, Veteran caregivers, members of the Armed Forces, Reserves and National Guard, and other VA customers in addition to VA authorized users (e.g., VA employees, VA contractors, VA volunteers, and other individuals permitted VA have access to VA IT systems).

CATEGORIES OF RECORDS IN THE SYSTEM:

The records may include information related to data entered through Web and mobile applications developed and maintained by VA, accessed and updated by the individuals covered by the system as well as by VA-authorized users. The records may contain information, such as demographics (e.g., name, social security numbers, physical address, phone number, email address), health-related information (e.g., vital signs, allergies, medications, health-related history, health assessments), benefit-related information, information provided to VA for the potential provision of services and benefits, military history and services, preferences for authorizing the sharing of their health information (e.g., electronic surrogate authorizations, electronic surrogate revocations). The records may include identifiers such as VA's integration control number. The information will be primarily benefits and health-related but may include other information such as customer-entered updates to demographic information.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Title 38, United States Code, Section 501.

PURPOSE(S):

The records and information will be used to provide a repository for the clinical and administrative information that is collected, retrieved, or displayed from within a VA mobile or Web application. The purpose of use will include, but not be limited to, health care treatment information, disability adjudication, and benefits to the Veteran both within the VA Medical Center and in sharing with partners who are participating through the eHealth Exchange in VA's Mobile pilots and subsequent public and enterprise roll-out of new applications. Data may also be used at an aggregate, non-personally identifiable level to track and evaluate local or national health and benefits initiatives and preventative-care measures, such as detecting outbreaks of flu or other diseases, detection of antibiotic resistance bacteria, etc. These data may be used for such purposes as scheduling patient treatment services, including nursing care, clinic appointments, surveys, diagnostic, and therapeutic procedures. These data may also be used for the purpose of health care operations, such as producing various management and patient follow-up reports; responding to patient and other inquiries; for epidemiological research and other health care-related studies; statistical analysis, resource allocation and planning; providing clinical and administrative support to patient medical care; determining entitlement and eligibility for VA Start Printed Page 66810benefits; processing and adjudicating benefit claims by Veterans Benefits Administration Regional Office staff; for audits, reviews, and investigations conducted by staff of VA Central Office and VA's OIG; sharing of health information between and among VHA, DoD, IHS, and other Government and private industry health care organizations; law enforcement investigations; quality assurance audits, reviews, and investigations; personnel management and evaluation; employee ratings and performance evaluations; and employee disciplinary or other adverse action, including discharge; advising health care professional licensing or monitoring bodies or similar entities of activities of VA and former VA health care personnel.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

To the extent that records contained in the system include information protected by 38 U.S.C. 7332, (e.g., medical treatment information related to drug abuse, alcoholism or alcohol abuse, sickle cell anemia or infection with the human immunodeficiency virus), that information cannot be disclosed under a routine use unless there is also specific statutory authority permitting disclosure.

1. On its own initiative, VA may disclose information, except for the names and home addresses of Veterans and their dependents, to a Federal, state, local, tribal, or foreign agency charged with the responsibility of investigating or prosecuting civil, criminal, or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule, or order issued pursuant thereto. On its own initiative, VA may also disclose the names and addresses of Veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal, or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule, or order issued pursuant thereto.

2. Disclosure may be made to any source from which additional information is requested (to the extent necessary to identify the individual, inform the source of the purpose(s) of the request), and to identify the type of information requested), when necessary to obtain information relevant to an individual's eligibility, care history, or other benefits.

3. Disclosure may be made to an agency in the executive, legislative, or judicial branch, or the District of Columbia's government in response to its request or at the initiation of VA, in connection with disease tracking, patient outcomes or other health information required for program accountability.

4. The record of an individual who is covered by a system of records may be disclosed to a Member of Congress, or a staff person acting for the Member, when the Member or staff person requests the record on behalf of and at the written request of the individual.

5. Disclosure may be made to NARA and GSA in records management inspections conducted under authority of Title 44, Chapter 29, of the United States Code.

6. VA may disclose information from this system of records to DOJ, either on VA's initiative or in response to DOJ's request for the information, after either VA or DOJ determines that such information is relevant to DOJ's representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that release of the records to DOJ is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records.

7. Records from this system of records may be disclosed to inform a Federal agency, licensing boards, or the appropriate non-Government entities about the health care practices of a terminated, resigned, or retired health care employee whose professional health care activity so significantly failed to conform to generally-accepted standards of professional medical practice as to raise reasonable concern for the health and safety of patients receiving medical care in the private sector or from another Federal agency.

8. Disclosure may be made to a national certifying body which has the authority to make decisions concerning the issuance, retention, or revocation of licenses, certifications or registrations required to practice a health care profession, when requested in writing by an investigator or supervisory official of the national certifying body for the purpose of making a decision concerning the issuance, retention, or revocation of the license, certification, or registration of a named health care professional.

9. Disclosure may be made to officials of labor organizations recognized under 5 U.S.C. Chapter 71, when relevant and necessary to their duties of exclusive representation concerning personnel policies, practices, and matters affecting working conditions.

10. Disclosure may be made to the VA-appointed representative of an employee all notices, determinations, decisions, or other written communications issued to the employee in connection with an examination ordered by VA under medical evaluation (formerly fitness-for-duty) examination procedures or Department-filed disability retirement procedures.

11. VA may disclose information to officials of MSPB or OSC, when requested in connection with appeals, special studies of the civil service and other merit systems, review of rules and regulations, investigation of alleged or possible prohibited personnel practices, and such other functions, promulgated in 5 U.S.C. 1205 and 1206, or as authorized by law.

12. VA may disclose information to EEOC when requested in connection with investigations of alleged or possible discriminatory practices, examination of Federal affirmative employment programs, or for other functions of the Commission as authorized by law or regulation.

13. VA may disclose to FLRA (including its General Counsel) information related to the establishment of jurisdiction, investigation, and resolution of allegations of unfair labor practices, or information in connection with the resolution of exceptions to arbitration awards when a question of material fact is raised to disclose information in matters properly before the Federal Services Impasse Panel and to investigate representation petitions and conduct or supervise representation elections.

14. Disclosure of medical record data, excluding name and address, unless name and address is furnished by the requester, may be made to epidemiological and other research facilities for research purposes determined to be necessary and proper when approved in accordance with VA policy.

15. Disclosure of names and addresses of present or former personnel of the Armed Forces, and/or their dependents, may be made to: (a) a Federal department or agency, at the written request of the head or designee of that agency; or (b) directly to a contractor or subcontractor of a Federal department or agency, for the purpose of conducting Start Printed Page 66811Federal research necessary to accomplish a statutory purpose of an agency. When disclosure of this information is made directly to a contractor, VA may impose applicable conditions on the department, agency, and/or contractor to ensure the appropriateness of the disclosure to the contractor.

16. Disclosures of relevant information may be made to individuals, organizations, private or public agencies, or other entities with whom VA has a contract or agreement or where there is a subcontract to perform the services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor or subcontractor to perform the services of the contract or agreement. This routine use includes disclosures by the individual or entity performing the service for VA to any secondary entity or individual to perform an activity that is necessary for individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to provide the service to VA.

17. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.

18. VA may, on its own initiative, disclose any information or records to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that the integrity or confidentiality of information in the system of records has been compromised; (2) the Department has determined that as a result of the suspected or confirmed compromise, there is a risk of embarrassment or harm to the reputations of the record subjects, harm to economic or property interests, identity theft or fraud, or harm to the security, confidentiality, or integrity of this system or other systems or programs (whether maintained by the Department or another agency or disclosure is to agencies, entities, or persons whom VA determines are reasonably necessary to assist or carry out the Department's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. This routine use permits disclosures by the Department to respond to a suspected or confirmed data breach, including the conduct of any risk analysis or provision of credit protection services as provided in 38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727.

19. VA may disclose any information to another covered entity that is a Government agency administering a Government program providing public benefits if the programs serve the same or similar populations as VA, and the disclosure of information is necessary to coordinate the functions of such programs or to improve administration and management relating to the functions of such programs.

20. VA may disclose health care information to a non-VA health care provider, such as private health care providers or hospitals, DoD, or IHS providers, for the purpose of treating VA patients.

21. VA may disclose information to a former VA employee or contractor, as well as the authorized representative of a current or former employee or contractor of VA, in pending or reasonably anticipated litigation against the individual regarding health care provided during the period of his or her employment or contract with VA.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:

STORAGE:

Records are maintained on electronic storage media including magnetic tape, disk, and laser optical media.

RETRIEVABILITY:

Records may be retrieved by name, social security number, VA's integration control number, or other assigned identifiers of the individuals for whom they are maintained.

SAFEGUARDS:

1. Access to and use of national administrative databases, warehouses, and data marts are limited to those persons whose official duties require such access, and VA has established security procedures to ensure that access is appropriately limited. Information security officers and system data stewards review and authorize data access requests. VA regulates data access with security software that authenticates users and requires individually-unique codes and passwords. VA requires information security training for all staff and instructs staff on the responsibility each person has for safeguarding data confidentiality.

2. Physical access to computer rooms housing national administrative databases, warehouses, and data marts is restricted to authorized staff and protected by a variety of security devices. Unauthorized employees, contractors, and other staff are not allowed in computer rooms.

3. Data transmissions between operational systems and national administrative databases, warehouses, and data marts maintained by this system of record are protected by state-of-the-art telecommunication software and hardware. This may include firewalls, intrusion detection devices, encryption, and other security measures necessary to safeguard data as it travels across the VA-Wide Area Network.

4. In most cases, copies of back-up computer files are maintained at off-site locations.

RETENTION AND DISPOSAL:

Records from this system that are needed for audit purposes will be disposed of 6 years after a user's account becomes inactive. Routine records will be disposed of when the agency determines they are no longer needed for administrative, legal, audit, or other operational purposes. These retention and disposal statements are pursuant to NARA General Records Schedules GRS 20, item 1c and GRS 24, item 6a.

SYSTEM MANAGER(S) AND ADDRESS:

Official maintaining this system of records and responsible for policies and procedures is the Executive Director of VA Enterprise Infrastructure Engineering, VA Office of Information and Technology, Department of Veterans Affairs, 810 Vermont Avenue NW., Washington, DC 20420. Official delegated to maintain this system of records on behalf of VA OIT is the Director of VA Connected Health, VHA Office of Informatics and Analytics, Department of Veterans Affairs, 810 Vermont Avenue NW., Washington, DC 20420.

NOTIFICATION PROCEDURE:

Individuals who wish to determine whether this system of records contains information about them should contact the Director of VA Connected Health, VHA Office of Informatics and Analytics, Department of Veterans Affairs, 810 Vermont Avenue NW., Washington, DC 20420 or via the Web at http://mobilehealth.va.gov. Inquiries should include the person's full name, social security number, and their return address.

RECORD ACCESS PROCEDURES:

Individuals seeking information regarding access to and contesting of records in this system may write the Director of VA Connected Health, VHA Office of Informatics and Analytics, Department of Veterans Affairs, 810 Vermont Avenue NW., Washington, DC 20420. Inquiries should, at a minimum, include the person's full name, social security number, type of information Start Printed Page 66812requested or contested, their return address, and phone number.

CONTESTING RECORD PROCEDURES:

(See Record Access Procedures above.)

RECORD SOURCE CATEGORIES:

Information in this system of records is provided by Veterans and their beneficiaries or caregivers, members of the Armed Services, Reserves or National Guard; VA employees, other VA-authorized users (e.g., DoD), and information from VA computer systems and databases include, but not limited to, Veterans Health Information Systems and Technology Architecture (VistA)-VA (79VA10P2) and National Patient Databases-VA (121VA10P2), VAMCs, Federal and non-Federal VLER/eHealth Exchange partners, and DoD.