AGENCY:

Department of Veterans Affairs (VA), Veterans Health Administration.

ACTION:

Notice of a modified system of records.

SUMMARY:

As required by the Privacy Act of 1974, notice is hereby given that the Department of Veterans Affairs (VA) Start Printed Page 52547is modifying the system of records entitled, “Gulf War Registry -VA” (93VA131) as set forth in the Federal Register. VA is amending the system of records by revising the System Number; System Location; System Manager; Authority for Maintenance of the System; Categories of Records in the System; Routine Uses of Records Maintained in the System; Policies and Practices for Storage of Records; Policies and Practices for Retention and Disposal of Records; Physical, Procedural and Administrative Safeguards; Record Access Procedures; and Notification Procedure. VA is republishing the system notice in its entirety.

DATES:

Comments on this amended system of records must be received no later than 30 days after date of publication in the Federal Register. If no public comment is received during the period allowed for comment or unless otherwise published in the Federal Register by the VA, the modified system of records will become effective a minimum of 30 days after date of publication in the Federal Register. If VA receives public comments, VA shall review the comments to determine whether any changes to the notice are necessary.

ADDRESSES:

Comments may be submitted through www.Regulations.gov or mailed to VA Privacy Service, 810 Vermont Avenue NW, (005R1A), Washington, DC 20420. Comments should indicate that they are submitted in response to “Gulf War Registry—VA” (93VA131). Comments received will be available at regulations.gov for public viewing, inspection or copies.

FOR FURTHER INFORMATION CONTACT:

Stephania Griffin, Veterans Health Administration (VHA) Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420; telephone (704) 245-2492 (Note: this is not a toll-free number).

SUPPLEMENTARY INFORMATION:

The System Number is being updated from 93VA131 to 93VA10 to reflect the current VHA organizational routing symbol.

The System Location is being updated to replace Austin Automation Center (AAC) with Austin Information Technology Center (AITC) and to reflect electronic records being moved to contracted data repository sites, such as the Cerner Technology Centers (CTC): Primary Data Center in Kansas City, MO and Continuity of Operations/Disaster Recovery (COOP/DR) Data Center in Lee Summit, MO, in the future. Environmental Agents Service (131) is being replaced with Post Deployment Health Services (12POP5). Also, since optic readers, paper, or disk copies are no longer used or maintained, this section is being updated to remove, “The secure web-based data entry system is maintained by the AAC and provides retrievable images to users. The optical disk system is currently being utilized where there is no access to the secure web-based system. However, the optical disk system is scheduled to be discontinued in 2004. Images of code sheets are accessible in the web-based data entry system.”

The System Manager, Record Access Procedures, and Notification Procedure are being updated to replace, “Program Chief for Clinical Matters, Office of Public Health and Environmental Hazards (13) (for clinical issues) and Management/Program Analyst, Environmental Agents Service (131) (for administrative issues)” with Deputy Chief Consultant, Post Deployment Health Services (12POP5). Telephone number 202-266-4511 (this is not a toll-free number).

Authority for Maintenance of the System is being amended to replace “Title 38, United States Code (U.S.C.) 1710(e)(1)(B) and 1720E” with Title 38 U.S.C. 1117, Public Laws 102-585 and 100-687.

Categories of Records in the System is being amended to remove “Similar responses for spouse and children of Gulf War Veterans examined by non-VA physicians are contained in the records”.

The Routine Uses of Records Maintained in the System is being updated to replace Joint Commission for Accreditation of Healthcare Organizations (JCAHO) to The Joint Commission in Routine use #8.

The language in Routine Use #9 is being updated. It previously stated that disclosure of the records to the Department of Justice (DoJ) is a use of the information contained in the records that is compatible with the purpose for which VA collected the records and that VA may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. This routine use will now state that VA may disclose information to the Department of Justice (DoJ), or in a proceeding before a court, adjudicative body, or other administrative body before which VA is authorized to appear, when:

(a) VA or any component thereof;

(b) Any VA employee in his or her official capacity;

(c) Any VA employee in his or her official capacity where DoJ has agreed to represent the employee; or

(d) The United States, where VA determines that litigation is likely to affect the agency or any of its components,

is a party to such proceedings or has an interest in such proceedings, and VA determines that use of such records is relevant and necessary to the proceedings, provided, however, that in each case VA determines the disclosure is compatible with the purpose for which the records were collected. If the disclosure is in response to a subpoena, summons, investigative demand, or similar legal process, the request must meet the requirements for a qualifying law enforcement request under the Privacy Act, 5 U.S.C. 552a(b)(7), or an order from a court of competent jurisdiction under 552a(b)(11).

Routine Use #12 has been updated by clarifying the language to state, “VA may disclose any information or records to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that there has been a breach of the system of records; (2) VA has determined that as a result of the suspected or confirmed breach there is a risk to individuals, VA (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, or persons is reasonably necessary to assist in connection with VA efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.”

Routine use #13 is being added to state, “VA may disclose information from this system of records to another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.”

Policies and Practices for Storage of Records is updated to remove “In 2003, the data collection process moved to a secure web-based system. Data previously recorded manually and converted to electronic format is now input through the secure VA Intranet system. Data is stored on a web server hosted by the AAC and is retrievable by the facility. Three levels of access are Start Printed Page 52548provided for the data that is input, using password security linked to the AAC Top Secret Security system, with mandated changes every 90 days. Data from individual facilities is uploaded nightly and stored on Direct Access Storage Devices at the AAC, Austin, Texas, and on optical disks at VA Central Office, Washington, DC. AAC stores registry tapes for disaster back up at an off-site location. VA Central Office also has back-up optical disks stored off-site. In addition to electronic data, registry reports are maintained on paper documents and microfiche. The optical disk system is currently being utilized where there is no access to the secure web-based system. The optical disk system is scheduled to be discontinued in 2004 and all access to the GWR system will be through the secure web-based data entry system. Records will be maintained and disposed of in accordance with records disposition authority approved by the Archivist of the United States.” This section is updated to state that all registry data is stored electronically in the registry database.

Policies and Practices for Retention and Disposal of Records is being updated to remove “Records will be maintained and disposed of in accordance with records disposition authority approved by the Archivist of the United States”. This section is updated to state that Records are scheduled in accordance with RCS 10-1, 1202.1e, permanent disposition; cutoff at the end of calendar year. Records are transferred to NARA in 5-year blocks 1 year after the cutoff of the most recent records in the block. (N1-015-00-2, item 2e).

The Physical, Procedural and Administrative Safeguards section is being updated to remove, “Data is securely located behind the VA firewall and only accessible from the VA Local Area Network (LAN) through the VA Intranet. Read access to the data is granted through a telecommunications network to authorized VA Central Office personnel. AAC reports are also accessible through a telecommunications network on a read-only basis to the owner (VA facility) of the data. Access is limited to authorized employees by individually unique access codes which are changed periodically. Physical access to the AAC is generally restricted to AAC staff, VA Central Office, custodial personnel, Federal Protective Service and authorized operational personnel through electronic locking devices. All other persons gaining access to the computer rooms are escorted. Backup records stored off-site for both the AAC and VA Central Office are safeguarded in secured storage areas. A disaster recovery plan is in place and system recovery is tested at an off-site facility in accordance with established schedules.” This section is updated to state that there are multiple levels of security to ensure the confidentiality of all data stored within the GWR. The registry is stored on a password protected system located in a locked room. Registry application is web-based and accessible behind the VA firewall. Access to the facility is limited by PIV access, security card, metal scanners at the entrance, and security guards.

The Report of Intent to Amend a System of Records Notice and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of the Office of Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

Signing Authority

The Senior Agency Official for Privacy, or designee, approved this document and authorized the undersigned to sign and submit the document to the Office of the Federal Register for publication electronically as an official document of the Department of Veterans Affairs. Dominic A. Cussatt, Acting Assistant Secretary of Information and Technology and Chief Information Officer, approved this document on August 5, 2021 for publication.

SYSTEM NAME

Gulf War Registry—VA (93VA10)

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

Character-based data from Gulf War Registry (GWR) Code Sheets are maintained in a registry data set at the Austin Information Technology Center (AITC), 1615 Woodward Street, Austin, Texas 78772 and may be maintained at contracted data repository sites, such as the Cerner Technology Centers (CTC): Primary Data Center in Kansas City, MO and Continuity of Operations/Disaster Recovery (COOP/DR) Data Center in Lee Summit, MO. Since the data set at the AITC is not all-inclusive, i.e., narratives, signatures, etc., noted on the code sheets are not entered into this system, images of the code sheets are maintained at the Department of Veterans Affairs, Post Deployment Health Services (12POP5), 810 Vermont Avenue NW, Washington, DC 20420. These are electronic images of paper records, i.e., code sheets, medical records, questionnaires and correspondence.

SYSTEM MANAGER(S):

Deputy Chief Consultant, Post Deployment Health Services (12POP5). VA Central Office, 810 Vermont Avenue NW, Washington, DC 20420. Telephone number 202-266-4511 (this is not a toll-free number).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Title 38, United States Code (U.S.C.) 1117, Public Laws 102-585 and 100-687.

PURPOSE(S) OF THE SYSTEM:

The records will be used for the purpose of providing information about: Veterans who have had a GWR examination at a VA medical facility and their spouses and/or children who have had examinations by VA or non-VA clinicians to assist in generating hypotheses for research studies; providing management with the capability to track patient demographics; reporting birth defects among Veterans' children and grandchildren; planning the delivery of health care services and associated cost; and assisting in the adjudication of claims possibly related to exposure to a toxic substance or environmental hazard.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Veterans who may have been exposed to toxic substances or environmental hazard while serving in the Southwest Theatre of Operations during the Gulf War from August 2, 1990, until such time as Congress by law ends the Gulf War, and have had a Gulf War Registry (GWR) examination at a VA medical facility. Also, a spouse or child suffering from an illness or disorder (including birth defects, miscarriages, or stillbirth), which cannot be disassociated from the Veteran's service in the Southwest Asia Theatre of Operations and who has had a GWR examination performed by a VA or non-VA clinician.

CATEGORIES OF RECORDS IN THE SYSTEM:

These records consist of code sheet records recording VA facility code identifier where Veteran was examined or treated; Veteran's name; address; Social Security number; date of birth; race/ethnicity; marital status; sex; Start Printed Page 52549branch of service; periods of service; hospital status, i.e., inpatient; outpatient; areas of service in the Gulf War Theatre of Operations; list of military units where Veteran served; military occupation specialty; names of units in which Veteran served; Veteran's reported exposure to environmental factors; any traumatic experiences while in the Gulf War; Veteran's self-assessment of health; Veteran's functional impairment; report of birth defects and infant death(s) among Veteran's children and/or problems with pregnancy and infertility; date of registry examination; Veteran's complaints/symptoms; consultations; diagnoses; disposition (hospitalized, referred for outpatient treatment, etc.); whether Veteran had an unexplained illness and had further tests and consultations and diagnoses as part of a Phase II, Uniform Case Assessment Examination; and name and signature of examiner/clinician coordinator, when provided.

Another category of data entry is obtained from depleted uranium (DU) questionnaires, a supplement to the Gulf War code sheet. The data entries may contain the facility identifier where the information was completed; demographic information (name and Social Security number); daytime and evening phone numbers; date of questionnaire completion; date of arrival in and departure from the Gulf War Theatre of Operations; source of referral to VA medical center for evaluation; where Veteran served (i.e., Iraq, Kuwait, Saudi Arabia, the neutral zone [between Iraq and Saudi Arabia], Bahrain, Qatar, the United Arab Emirates, Oman, Gulf of Aden, Gulf of Oman and the Waters of the Persian Gulf, Arabian Sea and Red Sea); capacity in which Veteran served; questions relating to potential inhalation exposures to DU including those on, in, or near vehicles hit with friendly fire or enemy fire, entering burning vehicles, individuals near fires involving DU munitions, individuals salvaging damaged vehicles, and those near burning vehicles; whether Veteran was wounded, retained DU fragments in Veteran's body, handled DU penetrator rounds or any other exposures to DU; whether a 24-hour urine collection for uranium was performed; name, title and signature of examiner/environmental health clinician, when provided, and results of urine uranium tests, expressed per microgram per gram creatinine.

RECORD SOURCE CATEGORIES:

VA patient medical records, various automated record systems providing clinical and managerial support to VA health care facilities, Veteran, family members, and records from Veterans Benefits Administration, Department of Defense, Department of the Army, Department of the Air Force, Department of the Navy and other Federal agencies.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

To the extent that records contained in the system include information protected by 45 CFR parts 160 and 164, i.e., individually identifiable health information of VHA or any of its business associates, and 38 U.S.C. 7332; i.e., medical treatment information related to drug abuse, alcoholism or alcohol abuse, sickle cell anemia, or infection with the human immunodeficiency virus, that information cannot be disclosed under a routine use unless there is also specific statutory authority in both 38 U.S.C. 7332 and CFR parts 160 and 164 permitting disclosure.

1. VA may disclose information to a Member of Congress or staff acting upon the Member's behalf when the Member or staff requests the information on behalf of, and at the request of, the individual who is the subject of the record.

2. VA may disclose information relevant to a claim of a Veteran or beneficiary, such as the name, address, the basis and nature of a claim, amount of benefit payment information, medical information, and military service and active duty separation information, only at the request of the claimant to accredited service organizations, VA-approved claim agents, and attorneys acting under a declaration of representation, so that these individuals can aid claimants in the preparation, presentation, and prosecution of claims under the laws administered by VA.

3. VA may disclose the names and address(es) of present or former members of the armed services or their beneficiaries: (1) To a nonprofit organization if the release is directly connected with the conduct of programs and the utilization of benefits under Title 38, and (2) to any criminal or civil law enforcement governmental agency or instrumentality charged under applicable law with the protection of the public health or safety, if a qualified representative of such organization, agency, or instrumentality has made a written request that such names or addresses be provided for a purpose authorized by law; provided that the records will not be used for any purpose other than that stated in the request and that organization, agency, or instrumentality is aware of the penalty provision of 38 U.S.C. 5701(f).

4. VA may disclose information to National Archives and Records Administration (NARA) in records management inspections conducted under 44 U.S.C. 2904 and 2906, or other functions authorized by laws and policies governing NARA operations and VA records management responsibilities.

5. VA may disclose information from this system to epidemiological and other research facilities approved by the Under Secretary for Health for research purposes determined to be necessary and proper, provided that the names and addresses of Veterans and their dependents will not be disclosed unless those names and addresses are first provided to VA by the facilities making the request.

6. VA may disclose information to a Federal agency for the purpose of conducting research and data analysis to perform a statutory purpose of that Federal agency upon the prior written request of that agency.

7. VA may disclose information that, either alone or in conjunction with other information, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, to a Federal, state, local, territorial, tribal, or foreign law enforcement authority or other appropriate entity charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing such law. The disclosure of the names and addresses of Veterans and their dependents from VA records under this routine use must also comply with the provisions of 38 U.S.C. 5701.

8. VA may disclose information to survey teams of The Joint Commission, College of American Pathologists, American Association of Blood Banks, and similar national accreditation agencies or boards with which VA has a contract or agreement to conduct such reviews, as relevant and necessary for the purpose of program review or the seeking of accreditation or certification.

9. VA may disclose information to the Department of Justice (DoJ), or in a proceeding before a court, adjudicative body, or other administrative body before which VA is authorized to appear, when:

(a) VA or any component thereof;

(b) Any VA employee in his or her official capacity;

(c) Any VA employee in his or her official capacity where DoJ has agreed to represent the employee; or

(d) The United States, where VA determines that litigation is likely to Start Printed Page 52550affect the agency or any of its components,

is a party to such proceedings or has an interest in such proceedings, and VA determines that use of such records is relevant and necessary to the proceedings.

11. VA may disclose to other Federal agencies to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.

12. VA may disclose any information or records to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that there has been a breach of the system of records; (2) VA has determined that as a result of the suspected or confirmed breach there is a risk to individuals, VA (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, or persons is reasonably necessary to assist in connection with VA efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

13. VA may disclose information from this system to another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

All registry data is stored electronically in the registry database.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records are indexed by name of Veteran and Social Security number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Records are scheduled in accordance with RCS 10-1, 1202.1e, permanent disposition; cutoff at the end of calendar year. Records are transferred to NARA in 5-year blocks 1 year after the cutoff of the most recent records in the block. (N1-015-00-2, item 2e)

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

Access to electronic and paper records at VA Central Office is only authorized to VA personnel on a “need to know” basis. Records are maintained in manned rooms during working hours. During non-working hours, there is limited access to the building with visitor control by security personnel. Registry data maintained at the AITC can only be updated by authorized AITC personnel.

There are multiple levels of security to ensure the confidentiality of all data stored within the GWR. The registry is stored on a password protected system located in a locked room. Registry application is web-based and accessible behind the VA firewall. Access to the facility is limited by Personal Identity Verification (PIV) access, security card, metal scanners at the entrance, and security guards.

RECORD ACCESS PROCEDURE:

An individual who seeks access to records maintained under his or her name may write or visit the nearest VA medical facility or write to the Deputy Chief Consultant, Post Deployment Health Services (12POP5), VA Central Office, 810 Vermont Avenue NW, Washington, DC 20420.

CONTESTING RECORD PROCEDURES:

(See Record Access Procedures above.)

NOTIFICATION PROCEDURE:

An individual who wishes to determine whether a record is being maintained in this system under his or her name or other personal identifier, or wants to determine the contents of such record, should submit a written request or apply in person to the last VA medical facility where medical care was provided or submit a written request to the Deputy Chief Consultant, Post Deployment Health Services (12POP5), VA Central Office, 810 Vermont Avenue NW, Washington, DC 20420. Inquiries should include the Veteran's name, Social Security number, service serial number, and return address.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

Last full publication provided in 69 FR 2962.