AGENCY:

Department of Veterans Affairs (VA).

ACTION:

Notice of a Modified System of Records.

SUMMARY:

As required by the Privacy Act of 1974, notice is hereby given that the Department of Veterans Affairs (VA) is amending the system of records entitled “The Revenue Program-Billing and Collections Records-VA” (114VA16) as set forth in a notice, published in the Federal Register on February 11, 2014. VA is amending the system of records by revising the System Number, System Manager, Categories of Individuals Covered by the System, Categories of Records in the System, Record Source Categories, Routine Uses of Records Maintained in the System, Policies and Practices for Retention and Disposal of Records, and Safeguards. VA is republishing the system notice in its entirety.

DATES:

Comments on this amended system of records must be received no later than April 13, 2018. If no public comment is received during the period allowed for comment or unless otherwise published in the Federal Register by VA, the amended system will become effective April 13, 2018.

ADDRESSES:

Written comments may be submitted through www.Regulations.gov; by mail or hand-delivery to Director, Regulation Policy and Management (00REG), Department of Veterans Affairs, 810 Vermont Ave. NW, Room 1064, Washington, DC 20420; or by fax to (202) 273-9026 (not a toll-free number). Comments should indicate that they are submitted in response to “The Revenue Program-Billing and Collections Records-VA”. Copies of comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8:00 a.m. and 4:30 p.m., Monday through Friday (except holidays). Please call (202) 461-4902 for an appointment. (This is not a toll-free number.) In addition, comments may be viewed online at www.Regulations.gov.

FOR FURTHER INFORMATION CONTACT:

Veterans Health Administration (VHA) Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420; telephone (704) 245-2492.

SUPPLEMENTARY INFORMATION:

The System Number is changed from 114VA16 to 114VA10D to reflect the current organizational alignment.

System Manager is being amended to replace Chief Business Officer, Chief Business Office (16) with Deputy Under Secretary for Health, Office of Community Care (10D).

Categories of Individuals Covered by the System is being amended to add “or Community Care programs, such as Choice” to Item 9. Healthcare professionals providing examination or treatment to individuals under contract or resource sharing agreements.

Categories of Records in the System is being amended to remove the universal personal identification number. In Item 3, International Classification of Diseases (ICD)-9-CM will be replaced with ICD-10-CM. Drug Enforcement Administration (DEA) number was added to Item 6.

The Record Source Categories is being amended to change 77VA10Q to 77VA10A4 and 79VA19 to 79VA10P2.

The Routine Uses of Records Maintained in the System has been amended by adding language to Routine Use #20 which states, “a. Effective Response. A federal agency's ability to respond quickly and effectively in the event of a breach of federal data is critical to its efforts to prevent or minimize any consequent harm. An effective response necessitates disclosure of information regarding the breach to those individuals affected by it, as well as to persons and entities in a position to cooperate, either by assisting in notification to affected individuals or playing a role in preventing or minimizing harms from the breach. b. Disclosure of Information. Often, the information to be disclosed to such persons and entities is maintained by federal agencies and is subject to the Privacy Act (5 U.S.C. 552a). The Privacy Act prohibits the disclosure of any record in a system of records by any means of communication to any person or agency absent the written consent of the subject individual, unless the disclosure falls within one of twelve statutory exceptions. In order to ensure an agency is in the best position to respond in a timely and effective manner, in accordance with 5 U.S.C. 552a(b)(3) of the Privacy Act, agencies should publish a routine use for appropriate systems specifically applying to the disclosure of information in connection with response and remedial efforts in the event of a data breach.”

Routine use #23 is also being added to state, “VA may, on its own initiative, disclose information from this system to another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach. VA needs this routine use for the data breach response and remedial efforts with another Federal agency.”

Routine Use #24 is being added to state, “VA may disclose relevant information to attorneys, insurance companies, employers, third parties liable or potentially liable under health plan contracts, and courts, boards, or commissions, to the extent necessary to aid VA in the preparation, presentation, and prosecution of claims authorized under Federal, State, or local laws, and regulations promulgated thereunder.” VA must be able to release billing information that is related to VA's claims for recovery to health insurers, workers compensation insurers, auto reparations insurers, and any other entity liable to pay VA.

Routine Use #25 is being added to state, “VA may disclose relevant information to health plans, quality review and/or peer review organizations in connection with the audit of claims or other review activities to determine quality of care or compliance with professionally accepted claims processing standards.” This routine use permits disclosure of information for quality assessment audits received by Healthcare Effectiveness Data and Information Set or similar auditors.

Policies and Practices for Retention and Disposal of Records has been amended to replace “Paper records and Start Printed Page 11304information stored on electronic storage media are maintained and disposed of in accordance with records disposition authority approved by the Archivist of the United States” with Follow the requirement of RCS 10-1 Chapter 4 Item 4000.1 a & b. 4000.1 Financial transaction records related to procuring goods and services, paying bills, collecting debts, and accounting.

a. Official Record Held in the Office of Record

Temporary; destroy 6 years after final payment or cancellation, but longer retention is authorized if required for business use. (GRS 1.1, Item 010) (DAA-GRS-2016-0001-0002)

b. All Other Copies

Temporary; destroy or delete when 6 years old, but longer retention is authorized if required for business use. (GRS 1.1 item 013) (DAA-GRS-2016-0001-0002).”

Administrative, Technical, and Physical Safeguards is being amended to replace Automation Center (AC) with Austin Information Technology Center (AITC).

The Report of Intent to Amend a System of Records Notice and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of Office of Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

Signing Authority

The Senior Agency Official for Privacy, or designee, approved this document and authorized the undersigned to sign and submit the document to the Office of the Federal Register for publication electronically as an official document of the Department of Veterans Affairs. John Oswalt, Executive Director for Privacy, Department of Veterans Affairs approved this document on January 18, 2018, for publication.

SYSTEM NAME

The Revenue Program-Billing and Collections Records—VA (114VA10D)

SECURITY CLASSIFICATION:

None.

SYSTEM LOCATION:

Records are maintained at each VA healthcare facility. In most cases, backup computer tape information is stored at off-site locations. Address locations for VA facilities are listed in VA Appendix 1 of the biennial publication of VA Privacy Act Issuances. In addition, information from these records or copies of records may be maintained at the Department of Veterans Affairs (VA), 810 Vermont Avenue NW, Washington, DC; the VA Austin Automation Center (AAC), Austin, Texas; Veterans Integrated Service Network (VISN) Offices; VA Allocation Resource Center (ARC), Boston, Massachusetts, and contractor facilities.

SYSTEM MANAGER(S):

The official responsible for policies and procedures is the Deputy Under Secretary for Health, Office of Community Care (10D), Department of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420. The local officials responsible for maintaining the system are the Director of the facility where the individual is or was associated.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Title 38, United States Code (U.S.C.), sections 1710 and 1729.

PURPOSE(S) OF THE SYSTEM:

The records and information are used for the billing of, and collections from a third party payer, including insurance companies, other Federal agencies, or foreign governments, for medical care or services received by a Veteran for a non-service connected condition or from a first party Veteran required to make copayments. The records and information are also used for the billing of and collections from other Federal agencies for medical care or services received by an eligible beneficiary. The data may be used to identify and/or verify insurance coverage of a Veteran or Veteran's spouse prior to submitting claims for medical care or services. The data may be used to support appeals for non-reimbursement of claims for medical care or services provided to a Veteran. The data may be used to enroll health care providers with health plans and VA's health care clearinghouse in order to electronically file third party claims. For the purposes of health care billing and payment activities to and from third party payers, VA will disclose information in accordance with the legislatively-mandated transaction standard and code sets promulgated by the United States Department of Health and Human Services (HHS) under the Health Insurance Portability and Accountability Act (HIPAA). The data may be used to make application for an NPI, as required by the HIPAA Administrative Simplification Rule on Standard Unique Health Identifier for Healthcare Providers, 45 CFR part 162, for all health care professionals providing examination or treatment within VA health care facilities, including participation in pilot test of NPI enumeration system by the Centers of Medicare and Medicaid Services (CMS). The records and information may be used for statistical analyses to produce various management, tracking and follow-up reports, to track and trend the reimbursement practices of insurance carriers, and to track billing and collection information. The data may be used to support, or in anticipation of supporting, reimbursement claims from community health care providers or their agents. The data may be used to support, or in anticipation of supporting, reimbursement claims from academic affiliates with which VA maintains a business relationship.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

1. Veterans who have applied for healthcare services under Title 38, United States Code, Chapter 17, and in certain cases members of their immediate families.

2. Beneficiaries of other Federal agencies.

3. Individuals examined or treated under contract or resource sharing agreements.

4. Individuals examined or treated for research or donor purposes.

5. Individuals who have applied for Title 38 benefits but who do not meet the requirements under Title 38 to receive such benefits.

6. Individuals who were provided medical care under emergency conditions for humanitarian reasons.

7. Pensioned members of allied forces (Allied Beneficiaries) who are provided healthcare services under Title 38, United States Code, Chapter 1.

8. Healthcare professionals providing examination or treatment to any individuals within VA healthcare facilities.

9. Healthcare professionals providing examination or treatment to individuals under contract or resource sharing agreements or Community Care programs, such as Choice.

CATEGORIES OF RECORDS IN THE SYSTEM:

The records may include information related to:

1. The social security number and insurance policy number of the Veteran and/or Veteran's spouse. The record may include other identifying Start Printed Page 11305information (e.g., name, date of birth, age, sex, marital status) and address information (e.g., home and/or mailing address, home telephone number).

2. Insurance company information specific to coverage of the Veteran and/or spouse to include annual deductibles and benefits.

3. Diagnostic codes (ICD-10-CM, CPT-4, and any other coding system) pertaining to the individual's medical, surgical, psychiatric, dental and/or psychological examination or treatment.

4. Charges claimed to a third party payer, including insurance companies, other Federal agencies, or foreign governments, based on treatment/services provided to the patient.

5. Charges billed to those Veterans who are required to meet co-payment obligations for treatment/services rendered by VA.

6. The name, social security number, Drug Enforcement Administration (DEA) number, National Provider Identifier (NPI) and credentials including provider's degree, licensure, certification, registration or occupation of healthcare providers.

7. Records of charges related to patient care that are created in anticipation of litigation in which the United States is a party or has an interest in the litigation or potential litigation, including a third-party tortfeasor, workers compensation, or no-fault automobile insurance cases. Such records are not subject to disclosure under 5 U.S.C. 552a(d)(5).

RECORD SOURCE CATEGORIES:

The patient, family members or guardian, and friends, employers or other third parties when otherwise unobtainable from the patient or family; health insurance carriers; private medical facilities and healthcare professionals; state and local agencies; other Federal agencies; VA regional offices; Veterans Benefits Administration automated record systems, including Veterans and

Beneficiaries Identification and Records Location Subsystem—VA (38VA23) and the Compensation, Pension, Education and Rehabilitation Records—VA (58VA21/22); and various automated systems providing clinical and facilities to include Health Care Provider Credentialing and Privileging Records—VA (77VA10A4) and Veterans Health Information Systems and Technology Architecture (VistA) (79VA10P2).

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

To the extent that records contained in the system include information protected by 45 CFR parts 160 and 164, i.e., individually-identifiable health information, and 38 U.S.C. 7332; i.e., medical treatment information related to drug abuse, alcoholism or alcohol abuse, sickle cell anemia or infection with the human immunodeficiency virus, that information cannot be disclosed under a routine use unless there is also specific statutory authority in 38 U.S.C. 7332 and regulatory authority in 45 CFR parts 160 and 164 permitting disclosure.

1. On its own initiative, VA may disclose information, except for the names and home address of veterans and their dependents, to a Federal, state, local, tribal or foreign agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto. On its own initiative, VA may also disclose the names and addresses of Veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto.

2. Disclosure may be made to an agency in the executive, legislative, or judicial branch, or the District of Columbia government in response to its request or at the initiation of VA, in connection with the letting of a contract, other benefits by the requesting agency, or the lawful statutory, administrative, or investigative purpose of the agency to the extent that the information is relevant and necessary to the requesting agency's decision. However, names and addresses of veterans and their dependents will be released only to Federal entities.

3. Disclosure may be made to a Congressional office from the record of an individual in response to an inquiry from the Congressional office made at the request of that individual.

4. Disclosure may be made to National Archives and Records Administration (NARA) in records management inspections conducted under authority of Title 44 U.S.C.

5. Disclosure may be made to the Department of Justice and United States attorneys in defense or prosecution of litigation involving the United States, and to Federal agencies upon their request in connection with review of administrative tort claims filed under the Federal Tort Claims Act, 28 U.S.C. 2672.

6. Any information in this system of records, including personal information obtained from other Federal agencies through computer-matching programs, may be disclosed for the purposes identified below to any third party, except consumer reporting agencies, in connection with any proceeding for the collection of an amount owed to the United States by virtue of a person's participation in any benefit program administered by VA. Information may be disclosed under this routine use only to the extent that it is reasonably necessary for the following purposes: (a) To assist VA in collection of Title 38 overpayments, overdue indebtedness, and/or costs of services provided individuals not entitled to such services; and (b) to initiate civil or criminal legal actions for collecting amounts owed to the United States and/or for prosecuting individuals who willfully or fraudulently obtain Title 38 benefits without entitlement. This disclosure is consistent with 38 U.S.C. 5701(b)(6).

7. The name and address of a veteran, other information as is reasonably necessary to identify such Veteran, including personal information obtained from other Federal agencies through computer matching programs, and any information concerning the Veteran's indebtedness to the United States by virtue of the person's participation in a benefits program administered by VA may be disclosed to a consumer reporting agency for purposes of assisting in the collection of such indebtedness, provided that the provisions of 38 U.S.C. 5701(g)(4) have been met.

8. The name of a veteran, or other beneficiary, other information as is reasonably necessary to identify such individual, and any information concerning the individual's indebtedness by virtue of a person's participation in a medical care and treatment program administered by VA, may be disclosed to the Treasury Department, Internal Revenue Service, for the collection of indebtedness arising from such program by the withholding of all or a portion of the person's Federal income tax refund. These records may be disclosed as part of a computer-matching program to accomplish these purposes.

9. Relevant information (excluding medical treatment information related to drug or alcohol abuse, infection with the human immunodeficiency virus or sickle cell anemia) may be disclosed to HHS for the purpose of identifying improper duplicate payments made by Medicare fiscal intermediaries where VA was authorized and was responsible for payment for medical services obtained at community healthcare facilities.Start Printed Page 11306

10. The social security number, universal personal identification number, NPI, credentials, and other identifying information of a healthcare provider may be disclosed to a third party where the third party requires the Department provide that information before it will pay for medical care provided by VA.

11. Relevant information may be disclosed to individuals, organizations, private or public agencies, etc., with whom VA has a contract or agreement to perform such services as VA may deem practical for the purposes of laws administered by VA, in order for the contractor and/or subcontractor to perform the services of the contract or agreement.

12. Relevant information from this system of records may be disclosed to the National Practitioner Data Bank and/or State Licensing Board in the State(s) in which a practitioner is licensed, in which the VA facility is located, and/or in which an act or omission occurred upon which a medical malpractice claim was based when VA reports information concerning: (a) Any payment for the benefit of a physician, dentist, or other licensed healthcare practitioner which was made as the result of a settlement or judgment of a claim of medical malpractice if an appropriate determination is made in accordance with agency policy that payment was related to substandard care, professional incompetence or professional misconduct on the part of the individual; (b) a final decision which relates to possible incompetence or improper professional conduct that adversely affects the clinical privileges of a physician, dentist or other licensed healthcare practitioner for a period longer than 30 days; or, (c) the acceptance of the surrender of clinical privileges, or any restriction of such privileges by a physician, dentist, or other licensed healthcare practitioner either while under investigation by the healthcare entity relating to possible incompetence or improper professional conduct, or in return for not conducting such an investigation or proceeding. These records may also be disclosed as part of a computer-matching program to accomplish these purposes.

13. Relevant information may be disclosed from this system of records to any third party or Federal agency such as the Department of Defense, Office of Personnel Management, HHS and government-wide third-party insurers responsible for payment of the cost of medical care for the identified patients, in order for VA to seek recovery of the medical care costs. These records may also be disclosed as part of a computer matching program to accomplish these purposes.

14. Relevant information, including the nature and amount of a financial obligation, may be disclosed in order to assist VA in the collection of unpaid financial obligations owed VA, to a debtor's employing agency or commanding officer, so that the debtor employee may be counseled by his or her Federal employer or commanding officer. This purpose is consistent with 5 U.S.C. 5514, 4 CFR 102.5, and section 206 of Executive Order 11222 of May 8, 1965 (30 FR 6469).

15. Identifying information such as name, address, social security number and other information as is reasonably necessary to identify such individual, may be disclosed to the National Practitioner Data Bank at the time of hiring and/or clinical privileging/re-privileging of healthcare practitioners, and at other times as deemed necessary by VA, in order for VA to obtain information relevant to a Department decision concerning the hiring, privileging/re-privileging, retention or termination of the applicant or employee.

16. Disclosure of individually identifiable health information including billing information for the payment of care may be made by appropriate VA personnel, to the extent necessary and on a need-to-know basis consistent with good medical-ethical practices, to family members and/or the person(s) with whom the patient has a meaningful relationship.

17. Provider identifying information may be disclosed from this system of records to CMS to test the enumeration system for the NPI and once the system is operational, to obtain an NPI for any eligible healthcare professional providing examination or treatment with VA healthcare facilities.

18. Relevant information may be disclosed to community health care providers or their agents where the community health care provider provides health care treatment to veterans and requires the Department provide that information in order for that entity or its agent to submit, or in anticipation of submission of, a health care reimbursement claim or, in the case of the NPI, for permissible purposes specified in the HIPAA legislation (45 CFR part 162).

19. Relevant information may be disclosed to an academic affiliate with which VA maintains a business relationship, where the VA provider also maintains an appointment to that academic affiliate's medical staff. This disclosure is to support, or in anticipation of supporting, a health care reimbursement claim(s) or, in the case of the NPI, for permissible purposes specified in the HIPAA legislation (45 CFR part 162).

20. Any records may be disclosed to appropriate agencies, entities, and persons under the following circumstances: When (1) it is suspected or confirmed that the security or confidentiality of information in the system of records has been compromised; (2) the Department has determined that as a result of the suspected or confirmed compromise there is a risk of embarrassment or harm to the reputations of the record subjects, harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by the Department or another agency or entity) that rely upon the compromised information; and (3) the disclosure is made to such agencies, entities, and persons who are reasonably necessary to assist in connection with the Department's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. This routine use permits disclosures by VA to respond to a suspected or confirmed data breach, including the conduct of any risk analysis or provision of credit protection services as provided in 38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727.

a. Effective Response. A federal agency's ability to respond quickly and effectively in the event of a breach of federal data is critical to its efforts to prevent or minimize any consequent harm. An effective response necessitates disclosure of information regarding the breach to those individuals affected by it, as well as to persons and entities in a position to cooperate, either by assisting in notification to affected individuals or playing a role in preventing or minimizing harms from the breach.

b. Disclosure of Information. Often, the information to be disclosed to such persons and entities is maintained by federal agencies and is subject to the Privacy Act (5 U.S.C. 552a). The Privacy Act prohibits the disclosure of any record in a system of records by any means of communication to any person or agency absent the written consent of the subject individual, unless the disclosure falls within one of twelve statutory exceptions. In order to ensure an agency is in the best position to respond in a timely and effective manner, in accordance with 5 U.S.C. 552a(b)(3) of the Privacy Act, agencies should publish a routine use for Start Printed Page 11307appropriate systems specifically applying to the disclosure of information in connection with response and remedial efforts in the event of a data breach.

21. VA may disclose information in this system of records to the Department of Justice (DoJ), either on VA's initiative or in response to DoJ's request for the information, after either VA or DoJ determines that such information is relevant to DoJ's representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that release of the records to the DoJ is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records.

22. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.

23. VA may, on its own initiative, disclose information from this system to another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

24. VA may disclose relevant information to attorneys, insurance companies, employers, third parties liable or potentially liable under health plan contracts, and courts, boards, or commissions, to the extent necessary to aid VA in the preparation, presentation, and prosecution of claims authorized under Federal, State, or local laws, and regulations promulgated thereunder.

25. VA may disclose relevant information to health plans, quality review and/or peer review organizations in connection with the audit of claims or other review activities to determine quality of care or compliance with professionally accepted claims processing standards.

DISCLOSURE TO CONSUMER REPORTING AGENCIES:

Pursuant to 5 U.S.C. 552a(b)(12), VA may disclose records from this system to consumer reporting agencies as defined in the Fair Credit Reporting Act (15 U.S.C. 1681a(f)) or the Federal Claims Collection Act of 1966 (31 U.S.C. 3701(a)(3)).

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Records are maintained on paper or electronic media.

POLICIES AND PRACTICES FOR RETRIEVABILITY OF RECORDS:

Records are retrieved by name, social security number or other assigned identifier of the individuals on whom they are maintained, or by specific bill number assigned to the claim of the individuals on whom they are maintained.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Follow the requirement of RCS 10-1 Chapter 4 Item 4000.1 a & b.

4000.1 Financial transaction records related to procuring goods and services, paying bills, collecting debts, and accounting.

a. Official record held in the office of record.

Temporary; destroy 6 years after final payment or cancellation, but longer retention is authorized if required for business use. (GRS 1.1, Item 010) (DAA-GRS-2016-0001-0002).

b. All Other copies.

Temporary; destroy or delete when 6 years old, but longer retention is authorized if required for business use. (GRS 1.1 item 013) (DAA-GRS-2016-0001-0002).

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

1. Access to VA working and storage areas is restricted to VA employees on a “need-to-know” basis; strict control measures are enforced to ensure that disclosure to these individuals is also based on this same principle. Generally, VA file areas are locked after normal duty hours and the facilities are protected from outside access by the Federal Protective Service or other security personnel.

2. Information in VistA may only be accessed by authorized VA personnel. Access to file information is controlled at two levels. The systems recognize authorized personnel by series of individually unique passwords/codes as a part of each data message, and personnel are limited to only that information in the file, which is needed in the performance of their official duties. Information that is downloaded from VistA and maintained on personal computers is afforded similar storage and access protections as the data that is maintained in the original files. Access to information stored on automated storage media at other VA locations is controlled by individually unique passwords/codes. Access by Office of Inspector General (OIG) staff conducting an audit, investigation, or inspection at the healthcare facility, or an OIG office location remote from the healthcare facility, is controlled in the same manner.

3. Information downloaded from VistA and maintained by the OIG headquarters and Field Offices on automated storage media is secured in storage areas for facilities to which only OIG staff have access. Paper documents are similarly secured. Access to paper documents and information on automated storage media is limited to OIG employees who have a need for the information in the performance of their official duties. Access to information stored on automated storage media is controlled by individually unique passwords/codes.

4. Access to the VA Austin Information Technology Center (AITC) is generally restricted to AITC employees, custodial personnel, Federal Protective Service and other security personnel. Access to computer rooms is restricted to authorized operational personnel through electronic locking devices. All other persons gaining access to computer rooms are escorted. Information stored in the AITC databases may be accessed.

5. Access to records maintained at the VA Allocation Resource Center (ARC) and the VISN Offices is restricted to VA employees who have a need for the information in the performance of their official duties. Access to information stored in electronic format is controlled by individually unique passwords/codes. Records are maintained in manned rooms during working hours. The facilities are protected from outside access during non-working hours by the Federal Protective Service or other security personnel.

RECORD ACCESS PROCEDURE:

Individuals seeking information regarding access to and contesting of records in this system may write, call or visit the VA facility location where they were treated.

CONTESTING RECORD PROCEDURES:

(See Record Access Procedures above.)Start Printed Page 11308

NOTIFICATION PROCEDURE:

An individual who wishes to determine whether a record is being maintained in this system under his or her name or other personal identifier, or wants to determine the contents of such record, should submit a written request or apply in person to the last VA healthcare facility where care was rendered. Addresses of VA healthcare facilities may be found in VA Appendix 1 of the biennial publication of VA Privacy Act Issuances. All inquiries must reasonably identify the place and approximate date that medical care was provided. Inquiries should include the patient's full name, social security number, insurance company information, policyholder and policy identification number as well as a return address.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

Last full publication provided in 70 FR 55207.