AGENCY:

Department of Veterans Affairs (VA).

ACTION:

Notice of amendment to system of records.

SUMMARY:

As required by the Privacy Act of 1974 (5 U.S.C. 552a(e) notice is hereby given that the Department of Veterans Affairs is amending the system of records currently entitled “Veterans, Dependents of Veterans, and VA Beneficiary Survey Records (43VA008)” as set forth in the Federal Register 65 FR 61022-61025. VA is amending the system by revising the System Name, Categories of Individuals on Whom Records are Maintained in the System; Categories of Records in the System; Authority for Maintenance of the System, Routine Uses of Records Maintained in the System, including Categories of Users and the Purpose of Such Uses, the Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System; System Manager(s); and Record Source Categories. VA is publishing the system notice in its entirety.

DATES:

Comments on this new system of records must be received no later than May 7, 2007. If no public comment is received, the new system of records will become effective May 7, 2007.

ADDRESSES:

Written comments may be submitted through www.Regulations.gov;​; by mail or hand-delivery to the Director, Regulations Management (00REG), Department of Veterans Affairs, 810 Vermont Ave., NW., Room 1068, Washington, DC 20420; or by fax to (202) 273-9026. Copies of comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8 a.m. and 4:30 p.m. Monday through Friday (except holidays) by May 7, 2007. Please call (202) 273-9515 for an appointment. In addition, during the comment period, comments may be viewed online through the Federal Docket Management System.

FOR FURTHER INFORMATION CONTACT:

Christine Elnitsky, Senior Policy Analyst, Policy Analysis Service, (008A1), U.S. Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420, (202) 273-9179.

SUPPLEMENTARY INFORMATION:

I. Description of Proposed System of Records

The system name is changed from “Veterans, Dependents of Veterans, and VA Beneficiary Survey Records-VA” to “Veterans, Service Members, Family Members, and VA Beneficiary Survey Records” to be consistent with Congress' intent (as reflected in Pub. L. 108-454, sections 211 and 805) that VA also include service members and families of service members in surveys conducted by VA. The term “Service Members” includes active duty Armed Forces and members of the National Guard and Reserve Force, regardless of whether they are on active duty.

The category entitled “Categories of individuals on whom records are maintained in the system” is amended to more accurately reflect the population from which VA may conduct surveys, to include service members and families of service members. VA beneficiaries, such as a spouse from a previous marriage, have and continue to be an included category of individuals.

The records covered by the heading entitled “Categories of records maintained in the system” are clarified by providing more details concerning the records contained in some of the categories of records described in the current system of records notice. VA is not adding any new categories of records maintained.

VA is amending the authority for maintenance of records in this system to more precisely state that authority and to include statutory authority enacted since the last publication of this system notice. Previously, VA cited all of Public Law 103-62 as authority to maintain these records when only the portion codified at 5 U.S.C. section 306 is applicable. The reference to planning in the current and proposed Purposes for this system of records includes (and included) use in VA strategic planning under section 306. VA also is adding sections 211 and 805 of Public Law 108-454 as authority for maintenance of the records in this system of records.

VA is amending the Policies and Practices for Storing, Retrieving Accessing, Retaining and Disposing of Records in the System as follows. VA is amending the “Retrievability” and “Safeguards” paragraphs to reflect requirements for protecting the confidentiality of protected health information obtained from the Veterans Health Administration (VHA) in compliance with requirements of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The amendments to the “Safeguards” paragraph also more fully describe security procedures for protecting the records, as well as procedures adopted since the last publication. VA is amending the retention and disposal paragraph to more fully describe the statutory requirement.

VA is amending the system manager paragraph to reflect the change in the agency official responsible for maintaining the system of records.

The Department has made minor edits to the System Notice to use plain language, and for grammar and clarity purposes, including changes to routine uses. These changes are not, and are not intended to be, substantive, and consequently, are not further discussed or enumerated.

II. Proposed Amendments to Routine Use Disclosures of Data in the System

The Agency is adding a preliminary statement before the routine uses clarifying that the routine use disclosure statements in this system of records do not provide authority for VA to disclose individually-identifiable health information protected by 38 U.S.C. 7332, the HIPAA Privacy Rule. This means you must have disclosure authority under 38 U.S.C. 7332, HIPAA, or both, where applicable, before disclosure under any routine use for data covered by these provisions. Further, routine uses are amended to provide consistency with the standards defined by Department of Health and Human Services (HHS) under HIPAA.

Routine use number 1 and 2 are subsumed in the new routine use number 4. The combined routine use permits all disclosures previously authorized under the two previous routine uses.

Routine use number 3 is renumbered as routine use number 1 and is clarified as to the scope of records that can be disclosed.

Routine use number 4 is renumbered as routine use number 2 and is amended to clarify the persons who may receive records under this routine use. VA retains ownership of all individually-identifiable records provided under this routine use or created by the recipient pursuant to the agreement underlying this routine use. Recipients of records under this routine use shall be required to comply with the Privacy Act of 1974, as amended, pursuant to 5 U.S.C. 552a(m). OPP will ensure the appropriateness of disclosure of health information to contractors. Safeguards are to be provided in the underlying contract or agreement prohibiting the contractor from using or disclosing the information for any purpose other than that described in the contract or agreement.

Routine use number 3 is a new routine use. The routine use states when OPP, on its own initiative, may disclose individually-identifiable information to law enforcement entities for investigations.

Routine use number 4 is a new routine use. It provides authority for VA to provide information to other Federal agencies for statutorily permitted or required research and analyses. The routine use also permits VA to disclose limited individually-identified information to another Federal agency where that agency needs the information in order to locate, identify and provide information to OPP for OPP's purposes provided in this system of records notice. For example, this disclosure would include use in statistical studies such as describing VA's role in total benefit coverage and forecasting future demand for VA benefits or services or to receive summary business data to study the growth of veteran-owned businesses by area and industry. The privacy requirements and information use safeguards as required by OPP when records are shared with other Federal agencies for their use or for OPP information matching needs are specified.

Routine use number 5 is a new routine use. The routine use provides that VA may disclose individually-identifiable information about a constituent of a Member of Congress to that Member or his or her staff when the Member is acting on behalf of the constituent at the constituent's request. Start Printed Page 17231

Routine use number 6 is a new routine use that states when the Department may disclose records to the Department of Justice or may itself disclose records in litigation involving the United States. In determining whether to disclose records under this routine use, VA will comply with the guidance promulgated by the Office of Management and Budget in a May 24, 1985, memorandum entitled “Privacy Act Guidance—Update”, currently posted at http://www.whitehouse.gov/​omb/​inforeg/​guidance1985.pdf.

Routine use number 7 is a new routine use that states the circumstances, and to whom, VA may disclose records in order to respond to, and minimize possible harm to individuals as a result of a data breach. This routine use is promulgated in order to meet VA's duties under 38 U.S.C. 5724 and the Privacy Act.

III. Compatibility of the Proposed Routine Uses

The Privacy act permits VA to disclose information about individuals without their authorization for routine uses when the information will be used for purposes that are compatible with the purposes for which VA collected the information. In all the routine use disclosures described above, either the recipient of the information will use the information in connection with a matter relating to one of VA's programs, will use the information to provide a benefit to VA, or disclosure is required by law.

The notice of intent to publish and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of the Office of Management and Budget (OMBN) as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

43VA008

SYSTEM NAME:

Veterans, Service Members, Family Members, and VA Beneficiary Survey Records.

SYSTEM LOCATION:

Computerized records will be maintained at the following computer site locations: VA Austin Automation Center, 1615 Woodward Street, Austin, Texas 78722; VA Central Office, 810 Vermont Avenue, NW., Washington, DC 20420; or with private contractors acting as agents of the VA. Paper records are stored at the Washington National Records Center (WNRC) or with private contractors acting as agents of the VA.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

(1) Veterans,

(2) Family members of veterans,

(3) Military service members,

(4) Family members of service members, and

(5) Other VA beneficiaries.

CATEGORIES OF RECORDS IN THE SYSTEM:

The categories of records in the system may include:

1. Personal identifiers (e.g., respondents' names, addresses, phone numbers, social security numbers, employer identification numbers);

2. Demographic and socioeconomic characteristics (e.g., date of birth, sex, race/ethnicity, education, marital status, employment and earnings, financial information, business ownership information);

3. Military service information (e.g., military occupational specialties, periods of active duty, branch of service including National Guard or Reserves, date of separation, rank);

4. Health status information (e.g., diagnostic, health care utilization, cost, and third-party health plan information);

5. Benefit and service information (e.g., data on transition assistance services, VA medical and other benefit eligibility, awareness, knowledge, understanding, and use; data on access and barriers to VA benefits or services; data about satisfaction with VA outreach, benefits, or services);

6. The records may also include information about DoD military personnel from DoD files (e.g., utilization files that contain inpatient and outpatient medical records, and eligibility files from the Defense Eligibility Enrollment Reporting System (DEERS));

7. The records may include information on Medicare beneficiaries from Health Care Financing Administration (HCFA) databases (e.g., Denominator file identifies the population being studied; Standard Analytical files on inpatient, outpatient, physician supplier, nursing home, hospice, home care, durable medical equipment; and Group and other Health Plans).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

5 U.S.C. 306, 38 U.S.C. 527, and Sections 211 and 805 of Public Law 108-454.

PURPOSE(S):

The purpose of this system of records is to collect data about the characteristics of America's veteran, service member, family member, and beneficiary population through surveys that may be augmented with information from several existing VA systems of records and with information from non-VA sources to:

1. Conduct statistical studies and analyses relevant to VA programs and services.

2. Plan and improve services provided;

3. Decide about VA policies, programs, and services;

4. Study the VA's role in the use of VA and non-VA benefits and services; and

5. Study the relationship between the use of VA benefits and services and the use of related benefits and services from non-VA sources. These types of studies are needed for VA to forecast future demand for VA benefits and services.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSE OF SUCH USES:

To the extent that records contained in the system include information protected by 45 CFR parts 160 and 164, i.e., individually identifiable health information, and 38 U.S.C. 7332, i.e., medical treatment information related to drug abuse, alcoholism, or alcohol abuse, sickle cell anemia, or infection with the human immunodeficiency virus, that information cannot be disclosed under a routine use unless there is also specific statutory authority in 38 U.S.C. 7332 and regulatory authority in 45 CFR parts 160 and 164 permitting disclosure.

1. Any system records may be disclosed to the National Archives and Records Administration (NARA), and General Services Administration (GSA) for records management inspections conducted under the authority of 44 United States Code.

2. Any system records may be disclosed to individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement for the performance of the services identified in the contract or agreement. The person performing the agreement or contract (or employees of the person) also may disclose records covered by the contract or agreement to any secondary entity or individual to perform an activity necessary to provide to VA the service identified in the contract or agreement as permitted under the contract or agreement.

3. VA may disclose on its own initiative any information in this system, except the names and home addresses of veterans and their Start Printed Page 17232dependents, which is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal or regulatory in nature and whether arising by general or program statute or by regulation, rule or order issued pursuant thereto, to a Federal, State, local, tribal, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule or order. On its own initiative, VA may also disclose the names and addresses of veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto.

4. Any system records may be disclosed to a Federal agency for the conduct of research and data analysis to perform a statutory purpose of that Federal agency upon the prior written request of that agency, provided that there is legal authority under all applicable confidentiality statutes and regulations to provide the data and OPP has determined prior to the disclosure that OPP data handling requirements are satisfied. OPP may disclose limited individual identification information to another Federal agency for the purpose of matching and acquiring information held by that agency for OPP to use for the purposes stated for this system of records.

5. Any system records may be disclosed to a Member of Congress or to a Congressional staff member in response to an inquiry of the Congressional Office made at the written request of the constituent about whom the record is maintained.

6. VA may disclose information in this system of records to the Department of Justice (DoJ), either on VA's initiative or in response to DoJ's request for the information, after either VA or DoJ determines that such information is relevant to DoJ's representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that disclosure of the records to the Department of Justice is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records.

7. VA may, on its own initiative, disclose information when VA reasonably believes that there may have been a data breach with respect to information in the system such that the confidentiality or integrity of information in the system of records may have been compromised to such agencies, entities, and persons who are reasonably necessary to assist in connection with the Department's efforts to respond to the suspected or confirmed data breach and prevent, minimize, or remedy such harm, including conduct of any risk analysis, or provision of credit protection services as provided in 38 U.S.C. 5724.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING AND DISPOSING OF RECORDS IN THE SYSTEM

STORAGE:

VA sensitive information includes health information that is stored on electronic media, laser optical media, on a segregated secure server or in paper form. Electronic media, or laser optical media data are kept locked in a safe when not in immediate use. The data is located in a combination-locked safe which is secured inside a key-accessed room at the U.S. Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420. Information stored on paper is kept locked in file cabinets when not in immediate use. Databases are temporarily placed on a secured server inside a restricted network area for data match purposes only. Information that resides on a segregated server is kept behind cipher locked doors with limited access. Requestors of OPP stored health information within VA, or from external individuals, contractors, organizations, and/or agencies with whom VA has a contract or agreement, must provide an equivalent level of security protection and comply with current VA policies and procedures for storage and transmission as codified in VA directives such as but not limited to VA Directive 6504.

RETRIEVABILITY:

Health care information is kept separate from individual identifiers. Unique codes are assigned to individual health information. A codebook for decoding is stored in a safe for name, social security number or other assigned identifiers of the individuals on whom they are maintained. These records may be retrieved by name, address, social security number, date of birth, military service number, claim or file number, DoD's identification numbers, or other personal identifiers.

SAFEGUARDS:

1. This list of safeguards furnished in this System of Record is not an exclusive list of measures that has been, or will be, taken to protect individually-identifiable information. HIPAA guidelines for protecting health information will be followed by adopting health care industry best practices in order to provide adequate safeguards. Further, VA policy directives that specify the standards that will be applied to protect health information will be reviewed by VA staff and contractors through mandatory data privacy and security training.

2. Access to data storage areas is restricted to authorized VA employee or contract staff who have been cleared to work by the VA Office of Security and Law Enforcement. Health information file areas are locked after normal duty hours. VA facilities are protected from outside access by the Federal Protective Service and/or other security personnel.

3. Access to health information provided by the Veterans Health Administration (VHA) pursuant to a Business Associate Agreement (BAA) is restricted to those OPP employees and contractors who have a need for the information in the performance of their official duties. As a general rule, full sets of health care information are not provided for use unless authorized by the Assistant Secretary. File extracts provided for specific official uses will be limited to contain only the information fields needed for the analysis. Data used for analyses will have individual identifying characteristics removed whenever possible.

4. Security complies with applicable Federal Information Processing Standards (FIPS) issued by the National Institute of Standards and Technology (NIST). Health information files containing unique identifiers such as social security numbers are encrypted to NIST verified FIPS 140-2 standard or higher for storage, transport, or transmission. All files stored or transmitted on laptops, workstations, data storage devices and media are encrypted. Files are kept encrypted at all times except when data is in immediate use. These methods are applied in accordance with HIPAA regulations [45 CFR 164.514] and VA Directive 6504.

5. Contractors and their subcontractors are required to maintain the same level of security as VA staff for health care information that has been disclosed to them. Any data disclosed to Start Printed Page 17233a contractor or subcontractor to perform authorized analyses requires the use of Data Use Agreements, Non-Disclosure Statements and Business Associates Agreements (BAA's) to protect health information. Unless explicitly authorized in writing by the VA, sensitive or protected data made available to the contractor and subcontractors shall not be divulged or made known in any manner to any person. Other federal or state agencies requesting health care information need to provide Data Use Agreements to protect data.

6. OPP's work area is accessed for business-only needs. The data is stored in a combination-protected safe which is secured inside a limited access room. Direct access to the safe is controlled by select individuals who possess background security clearances. Only a few employees with strict business needs or “need-to-know” access and completed background checks will ever handle the data once it is removed from the safe for data match purposes.

7. Data matches are conducted on a secured server which is housed in a restricted access network area with appropriate locking devices. Access to such records are controlled by three measures: The application of a VA security identification card coded with special permissions network area's key pad; the proper input of a series of individually-unique passwords/codes by a recognized user; and the entrance of those select individuals for the performance of their official information technology-related duties.

8. Access to Automated Data Processing (ADP) files is controlled by using an individually unique password entered in combination with an individually unique user identification code.

9. Access to VA facilities where identification codes, passwords, security profiles and possible security violations are maintained is controlled at all hours by the Federal Protective Service, VA, or other security personnel and security access control devices.

10. Public use files prepared for purposes of research and analysis are purged of personal identifiers.

11. Paper records, when they exist, are maintained in a locked room at the WNRC. The Federal Protective Service protects paper records from unauthorized access.

RETENTION AND DISPOSAL:

Records are maintained and disposed of in accordance with the records disposition authority approved by the Archivist of the United States and the National Archives and Records Administration (NARA) and published in Agency Records Control Schedules. If the Archivist has not approved disposition authority for any records covered by the system notice, the System Manager will take immediate action to have the disposition of records in the system reviewed in accordance with VA Handbook 6300.1, Records Management Procedures. The records may not be destroyed until VA obtains an approved records disposition authority. See Records Control Schedule (RCS) 10-1 for further guidance. OPP destroys electronic files when no longer needed for administrative, legal, audit, or other operational purposes. In accordance with title 36 CFR, Section 1234.34, Destruction of Electronic Records, “electronic records may be destroyed only in accordance with a records disposition schedule approved by the Archivist of the United States, including General Records Schedules.”

SYSTEM MANAGER(S) AND ADDRESS(ES):

Director, Policy Analysis Service (008A1), 810 Vermont Avenue, NW., Washington, DC 20420.

NOTIFICATION PROCEDURE:

An individual who wants to determine whether the Director, Policy Analysis Service (008A1) is maintaining a record under the individual's name or other personal identifier or wants to determine the content of such records must submit a written request to the Director, Program Analysis Service (008A1). The individual seeking this information must prove his or her identity and provide the name of the survey in question, approximate date of the survey, social security number, full name, and date of birth, telephone number, and return address. All inquiries must reasonably identify the health care information involved and the approximate date that medical care was provided.

RECORDS ACCESS PROCEDURES:

Individual seeking information regarding access to and contesting of records maintained by the Office of Policy and Planning under his or her name or other personal identifier may write the System Manager named above and specify the information being requested or contested.

CONTESTING RECORD PROCEDURES:

(See Records Access Procedures.)

RECORDS SOURCE CATEGORIES:

Information in this system of records is obtained from survey questionnaire data provided by veterans, veteran family members, military service members, families of service members, or VA beneficiaries in a survey sample and from veterans, family members, military service members, or beneficiaries on specific VA benefit rolls. Information may also be obtained from the Patient Medical Records System (24VA19), the Patient Fee Basis Medical and Pharmacy Records (23VA19); Veterans and Beneficiaries Identification and Records Location Subsystem (38VA23); Compensation, Pension, Education, and Rehabilitation Records (58VA21/22); Health Care Eligibility Center Records (89VA19); DoD utilization files and DEERS files; and HCFA Denominator file or its successor, Standard Analytical files (inpatient, outpatient, physician supplier, nursing home, hospice, home care, durable medical equipment) and Group Health Plan, and other public or private health provider, federal agency, or insurance programs and plans.