[Federal Register: April 19, 2007 (Volume 72, Number 75)]
[Notices]
[Page 19770-19774]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr19ap07-94]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF VETERANS AFFAIRS
Privacy Act of 1974; System of Records
AGENCY: Department of Veterans Affairs (VA).
ACTION: Notice of amendment to an existing System of Records.
-----------------------------------------------------------------------
SUMMARY: As required by the Privacy Act of 1974 (title 5, United States
Code (U.S.C.), Section 552a(e)), notice is hereby given that the
Department of Veterans Affairs (VA) is amending the system of records
currently entitled, ``Shipboard Hazard and Defense Integrated
Database--VA'' (128VA008A) as set forth in the Federal Register 68 FR
56379. VA is amending the system by revising the System Number, System
Name, System Location, Categories of Individuals Covered by the System,
Categories of Records in the System, Authority for Maintenance of the
System, Purpose, and Routine Uses of Records Maintained in the System,
including Categories of Users and the Purposes of Such Uses, the System
Manager, System Address and Notification and Records Access sections of
the system notice. VA is republishing the system notice in its
entirety.
DATES: Comments on the amendment of this system of records must be
received no later than May 21, 2007. If no public comment is received,
the new system will become effective May 21, 2007.
ADDRESSES: Written comments may be submitted through
[[Page 19771]]
http://www.Regulations.gov; by mail or hand-delivery to the Director,
Regulations Management (00REG), U. S. Department of Veterans Affairs,
810 Vermont Ave., NW., Room 1068, Washington, DC 20420; or by fax to
(202) 273-9026. Copies of comments received will be available for
public inspection in the Office of Regulation Policy and Management,
Room 1063B, between the hours of 8 a.m. and 4:30 p.m. Monday through
Friday (except holidays). Please call (202) 273-9515 for an
appointment. In addition, during the comment period, comments may be
viewed online through the Federal Docket Management System.
FOR FURTHER INFORMATION CONTACT: Dat Tran, Director, Data Development
and Analysis Service, (008A3), U.S. Department of Veterans Affairs, 810
Vermont Ave., NW., Washington, DC 20420, (202) 273-6482.
SUPPLEMENTARY INFORMATION:
I. Description of the Proposed Amendments to Systems of Records
``Shipboard Hazard and Defense Integrated Database--VA'' (128VA008A)
The System Name is changed from ``Shipboard Hazard and Defense
Integrated Database--VA'' to the ``Chemical and Biological Agent
Exposure Database--VA'' because the Department of Defense (DoD) will
provide VA with individually-identified data on individuals whom DoD
identifies as having been exposed (or possibly exposed) to chemical and
biological agents while on active duty. The System Number is changed
from 128VA008A to 128VA008 to reflect the current office within the VA
Office of Policy and Planning (OPP), previously known as the Office of
Policy, Planning, and Preparedness, that is the System Manager for the
system of records.
VA is changing the System Location to reflect the fact that OPP
also stores copies of electronic data on a secured server in VA's
Austin Automation Center. VA is also amending the Storage and
Safeguards portions of the notice to provide relevant information about
the storage and safeguards for electronic data stored at the Austin
Automation Center.
The Categories of Individuals Covered in the System portion of the
System notice is amended to include all veterans, not just Project
Shipboard Hazard and Defense (Project SHAD) and Project 112 veterans,
whom DoD identifies as having been exposed (or possibly exposed) to
chemical and biological agents while on active duty.
VA is expanding the Categories of Records in the System Section to
include protected health information received from VA's Veterans Health
Administration (VHA), financial-related information (i.e., VA and other
Federal benefits etc.) for benefits utilization reports, as well as
additional data elements from select VA databases currently providing
information for this system of records. VA is also simplifying the
description of the categories of records in the system by listing the
various types of records maintained rather than continuing the current
``laundry list'' of records. For example, the new notice states that VA
will maintain ``personal identifiers'' rather than listing name, social
security number and veteran service number as is done in the current
notice. VA is not deleting any records from the Categories of Records
in the System.
The Authority for Maintenance of the System was previously the
general regulatory authority of the Secretary of Veterans Affairs,
section 501 of title 38, U.S.C. VA is revising this section of the
notice to read title 38, U.S.C. 527, which mandates that the Department
engage in gathering and conducting statistical analysis on data in
order to evaluate and improve the delivery of title 38 benefits to
America's veterans and their dependents.
VA is amending the Purposes section of the notice to reflect the
duties that OPP performs with the data under section 527 of title 38,
U.S.C.
VA is amending the Policies and Practices for Storing, Retrieving,
Accessing, Retaining, and Disposing of Records in the System to reflect
the change in how OPP stores records in VA Central Office. VA is also
providing information concerning the data stored on the secured server
at the Austin Automation Center.
Retrievability is amended to state the other data fields by which
OPP will retrieve information from this system of records.
Safeguards are changed to reflect a new storage location, and
enhanced security measures adopted since VA last published this notice.
The Systems Managers, Addresses, Notification, and Records Access
Procedures Sections are amended to reflect new point of contact
information and organizational name changes.
The Department has made minor edits to the System Notice for
grammar and clarity purposes to reflect plain language, including
changes to routine uses. These changes are not, and are not intended to
be, substantive, and are not further discussed or enumerated.
II. Proposed Routine Use of Disclosures of Data in the System
VA is rewriting existing routine uses in the System using plain
language. The use of plain language in these routine uses does not, and
is not intended to, change the disclosures authorized under these
routine uses. VA is amending, deleting, rewriting and reorganizing the
order of the routine uses in this system of records, as well as adding
new routine uses.
VA is amending the preamble before the listing of routine uses to
state that the Health Insurance Portability and Accountability Act
(HIPAA) Privacy Rule must also permit disclosure of individually-
identifiable information from the system of records before OPP may
disclose records under the routine use.
Routine Use Number 1 is not changed substantively.
VA is deleting current routine use number 2 because the Agency does
not disclose information from this system of records under this routine
use.
VA is deleting current routine use number 3 because the Agency does
not disclose information from this system of records under this routine
use.
VA is not amending current routine use number 4 substantively, but
is renumbering it as routine use number 2 in the amended system of
records notice.
VA is not amending current routine use number 5, but is renumbering
it as routine use number 8 in the amended system of records notice.
VA is amending current routine use number 6 and renumbering it as
routine use number 3. The new routine use states prior to disclosure
that OPP will determine: (A) That the disclosure does not violate legal
or policy limitations under which the record was provided, collected,
or obtained; (B) that the study purpose (1) cannot be reasonably
accomplished unless the record is provided in individually-identifiable
form, and (2) warrants the risk to the privacy of the individual that
additional exposure of the record might bring; and (C) that the
recipient has agreed that (1) It will establish (if it hasn't already)
reasonable administrative, technical, and physical safeguards to
prevent unauthorized use or disclosure of the record, (2) it will
remove or destroy the information that identifies the individual at the
earliest time at which removal or destruction can be accomplished
consistent with the purpose of the study, unless the recipient has
presented adequate justification of a study or health nature for
retaining such information, and (3)
[[Page 19772]]
it will make no further use or disclosure of the record except (a) In
emergency circumstances affecting the health or safety of any
individual, (b) for use in another study, under these same conditions,
and only with prior written authorization of the Department, (c) for
disclosure to a properly identified person for the purpose of an audit
related to the study, if information that would enable veterans or
their dependents to be identified is removed or destroyed at the
earliest opportunity consistent with the purpose of the audit, or (d)
when required by law. VA will secure a written statement attesting to
the recipient's understanding of, and willingness to abide by, these
provisions.
In an effort to obtain health and other information, OPP may
disclose limited individual identification information to another
Federal agency for the purpose of matching and acquiring information
held by that agency. Records that are matched with information owned by
another Federal agency, such as DoD, will not be used for determining
eligibility of benefits or services through VA or another Federal
agency.
VA is renumbering current routine use number 7 as routine use
number 4 and amending it to more accurately reflect the conditions
under which VA, on its own initiative, may disclose information from
this system of records for law enforcement purposes.
VA is deleting current routine use number 8 because VA does not
anticipate releasing information from this system of records for the
purpose stated in current routine use number 8.
VA is renumbering current routine use number 9 as routine use
number 5, and amending it to more clearly state when OPP will disclose
information to the Department of Justice or may itself disclose records
in litigation involving the United States. In determining whether to
disclose records under this routine use, VA will comply with the
guidance promulgated by the Office of Management and Budget (OMB) in a
May 24, 1985, memorandum entitled ``Privacy Act Guidance--Update''
currently posted at http://www.whitehouse.gov/omb/inforeg/guidance1985.pdf
.
Routine use number 6 is a new routine use authorizing OPP to
disclose individually-identifiable information to contractors or other
entities that will provide services to OPP for which the recipient
needs that information in order to perform the services.
Routine use number 7 is a new routine use that states the
circumstances, and to whom, VA may disclose records in order to respond
to, and minimize possible harm to individuals as a result of a data
breach. This routine use is promulgated in order to meet VA's statutory
duties under title 38, U.S.C. 5724 and the Privacy Act.
III. Compatibility of the Proposed Routine Uses
The Privacy Act permits VA to disclose information about
individuals without their authorization for a routine use when the
information will be used for a purpose that is compatible with the
purpose for which we collected the information. In all of the routine
use disclosures, either the recipient of the information will use the
information in connection with a matter relating to one of VA's
programs, will use the information to provide a benefit to VA, or the
disclosure is required by law.
The notice of intent to publish and an advance copy of the system
notice have been sent to the appropriate Congressional committees and
to the Director of OMB as required by title 5 U.S.C. 552a(r) (Privacy
Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.
Approved: April 5, 2007.
Gordon H. Mansfield,
Deputy Secretary of Veterans Affairs.
128VA008
SYSTEM NAME:
Chemical and Biological Agent Exposure Database--VA''.
SYSTEM LOCATION:
One location for electronic and paper records, following VA-
approved procedures, is in the Office of the Director, Data Development
and Analysis Service, (008A3), U.S. Department of Veterans Affairs, 810
Vermont Ave., NW., Washington, DC 20420. Additionally, electronic
records are also placed on the Department of Veterans Affairs' (VA's)
secured server which is housed at VA's Austin Automation Center, 1615
Woodward St., Austin, TX 78772. Records necessary for a contractor to
perform under a VA-approved contract are located at the respective
contractor's facility.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
Veterans identified by DoD or another government agency as having
been exposed to any type of chemical (including psycho-chemical) and
biological agents during active duty.
CATEGORIES OF RECORDS IN THE SYSTEM:
The records include personal identifiers, residential and
professional contact data, population demographics, military service-
related data, financial-related data, claims processing codes and
information, and other VA and non-VA Federal benefit information.
Additionally, some records may contain DoD health care-related data or
VHA-originated health care information.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Title 38, U.S.C 527.
PURPOSE(S):
To measure and evaluate on a continuing basis all programs
authorized under title 38, U.S.C., including analysis and review of
policy and planning issues affecting VA programs, in order to support
legislative, regulatory and policy recommendations, initiatives and
decisions affecting VA programs and activities.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND THE PURPOSES OF SUCH USES:
To the extent that records contained in the system include
information protected by Title 45, Code of Federal Regulations (CFR)
Parts 160 and 164 (i.e., individually identifiable health information)
and title 38, U.S.C. 7332 (i.e., medical treatment information related
to drug abuse, alcoholism or alcohol abuse, sickle cell anemia or
infection with the human immunodeficiency virus), that information
cannot be disclosed under a routine use unless there is also specific
statutory authority in title 38, U.S.C. 7332 and regulatory authority
in Title 45, CFR Parts 160 and 164 permitting disclosure.
1. Disclosure may be made to a congressional office from the record
of an individual in response to an inquiry from the congressional
office made at the request of that individual.
2. Any disclosure from the system of records may be made to the
National Archives and Records Administration (NARA) in records
management inspections under title 44, U.S.C.
3. Any system records may be disclosed to a Federal agency for the
conduct of research and data analysis to perform a statutory purpose of
that Federal agency upon the prior written request of that agency,
provided that there is legal authority under all applicable
confidentiality statutes and regulations to provide the data and OPP
has determined prior to the disclosure that OPP data handling
requirements are satisfied. OPP may disclose limited individual
identification information to another Federal agency for the purpose of
matching and acquiring information held by that agency for OPP to use
for the purposes stated for this system of records.
[[Page 19773]]
4. VA may disclose on its own initiative any information in this
system, except the names and home addresses of veterans and their
dependents, which is relevant to a suspected or reasonably imminent
violation of law, whether civil, criminal or regulatory in nature and
whether arising by general or program statute or by regulation, rule or
order issued pursuant thereto, to a Federal, State, local, tribal, or
foreign agency charged with the responsibility of investigating or
prosecuting such violation, or charged with enforcing or implementing
the statute, regulation, rule or order. On its own initiative, VA may
also disclose the names and addresses of veterans and their dependents
to a Federal agency charged with the responsibility of investigating or
prosecuting civil, criminal or regulatory violations of law, or charged
with enforcing or implementing the statute, regulation, rule or order
issued pursuant thereto.
5. VA may disclose information in this system of records to the
Department of Justice (DoJ), either on VA's initiative or in response
to DoJ's request for the information, after either VA or DoJ determines
that such information is relevant to DoJ's representation of the United
States or any of its components in legal proceedings before a court or
adjudicative body, provided that, in each case, the agency also
determines prior to disclosure that disclosure of the records to the
DoJ is a use of the information contained in the records that is
compatible with the purpose for which VA collected the records. VA, on
its own initiative, may disclose records in this system of records in
legal proceedings before a court or administrative body after
determining that the disclosure of the records to the court or
administrative body is a use of the information contained in the
records that is compatible with the purpose for which VA collected the
records.
6. Any system records may be disclosed to individuals,
organizations, private or public agencies, or other entities or
individuals with whom VA has a contract or agreement for the
performance of the services identified in the contract or agreement.
The person performing the agreement or contract (or employees of the
person) also may disclose records covered by the contract or agreement
to any secondary entity or individual to perform an activity necessary
to provide to VA the service identified in the contract or agreement as
permitted under the contract or agreement.
7. VA may, on its own initiative, disclose information when VA
reasonably believes that there may have been a data breach with respect
to information in the system such that the confidentiality or integrity
of information in the system of records may have been compromised to
such agencies, entities, and persons who are reasonably necessary to
assist in connection with the Department's efforts to respond to the
suspected or confirmed data breach and prevent, minimize, or remedy
such harm, including conduct of any risk analysis, or provision of
credit protection services as provided in title 38, U.S.C. 5724.
8. Disclosure of information, excluding names and address (unless
furnished by the requestor) for research purposes determined to be
necessary and proper, may be made to epidemiological and other research
facilities approved by the Under Secretary for Health.
DISCLOSURE TO CONSUMER REPORTING AGENCIES:
VA will not disclose information to consumer reporting agencies.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING,
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
OPP's secured records are maintained electronically or remain in
textual form. All portable storage devices and media are kept in a safe
when not in immediate use. The devices and other media are located in a
combination-locked safe which is secured inside a key-accessed room at
the U.S. Department of Veterans Affairs, 810 Vermont Ave., NW.,
Washington, DC 20420. Other electronic data are placed on VA's
segregated server which is housed at VA's Austin Automation Center, 615
Woodward St., Austin, TX 78772. Information stored on paper is kept
locked in file cabinets when not in immediate use. Databases are
temporarily placed on a secured server inside a restricted network area
for data match purposes only. Information that resides on a segregated
server is kept behind cipher locked doors with limited access.
Requestors of OPP stored health information within VA, or from external
individuals, contractors, organizations, and/or agencies with whom VA
has a contract or agreement, must provide an equivalent level of
security protection and comply with all applicable VA policies and
procedures for storage and transmission as codified in VA directives
such as but not limited to VA Directive 6504.
RETRIEVABILITY:
OPP's records may be retrieved by using a social security number,
military service number, VA claim or file number, non-VA Federal
benefit identifiers, and other personal identifiers.
SAFEGUARDS:
This list of safeguards furnished in this system of records is a
general statement of measures taken to protect data in this system of
records and is not an exclusive list of measures taken. Other policies
and protections apply. For example, HIPAA guidelines for protecting
health information will be followed by adopting health-care-industry
best practices in order to provide adequate safeguards. Further, VA
policy directives that specify the standards that will be applied to
protect information will be reviewed by VA staff and contractors
through mandatory data privacy and security training annually.
All VA offices are protected from unauthorized access by security
personnel seven days a week. Entrances and exits are monitored by
security cameras and protected by an alarm system. All VA staff and
visitors are required to either have a VA-issued employment
identification card or a temporary visitor identification badge. All
work stations are secured during daytime and evening hours.
Electronic data located in Washington, DC, are stored in a
combination-key-locked safe which is secured inside a limited-access
room. Authorized employee access to the limited-access room and the
safe is based upon strict business needs as determined by the Assistant
Secretary for Policy and Planning. Textual data are stored in key-
locked cabinets inside secured rooms. Access to the server in Austin,
TX, is generally limited by appropriate locking devices and restricted
to authorized VA personnel.
Access to health information provided by VHA pursuant to a Business
Associate Agreement (BAA) is restricted to those OPP employees and
contractors who have a need for the information in the performance of
their official duties related to the terms of the BAA. As a general
rule, full sets of health care information are not provided for use
unless authorized by the Assistant Secretary for Policy and Planning.
File extracts provided for specific official uses will be limited to
the minimum necessary records and contain only the information fields
needed for the analysis. Data used for analyses will have individual
identifying characteristics removed whenever possible.
Security complies with applicable Federal Information Processing
[[Page 19774]]
Standards (FIPS) issued by the National Institute of Standards and
Technology (NIST). Health information files containing unique
identifiers such as social security numbers are encrypted to NIST
verified FIPS 140-2 standard or higher for storage, transport, or
transmission. All files stored or transmitted on laptops, workstations,
or data storage devices are encrypted. Files are kept encrypted at all
times except when data are in immediate use. These methods are applied
in accordance with HIPAA Privacy and Security regulations.
All data requests must be received in writing, vetted through a
review board, concurred on by the Assistant Secretary for Policy and
Planning, and released under the auspices of a signed data use
agreement. File extracts provided for specific official uses will be
limited to contain only the information fields needed for the analysis.
Data used for analyses will have individual identifying characteristics
removed or encrypted whenever possible. Unencrypted sensitive variables
will only be used for analysis as a last resort.
In the event of a contract or special project, VA may secure the
services of contractors and/or subcontractors. In such cases, VA will
maximize the utilization of encrypted data when possible. Contractors
and their subcontractors are required to maintain the same level of
security as VA staff for health care information that has been
disclosed to them. Any data disclosed to a contractor or subcontractor
to perform authorized analyses requires the use of Data Use Agreements
(DUAs), Non-Disclosure Statements and BAAs to protect health
information. Unless explicitly authorized in writing by VA, sensitive
or protected data made available to the contractor and subcontractors
shall not be divulged or made known in any manner to other parties or
to any person. Other Federal or State agencies requesting health care
information need to provide DUAs to protect data.
RETENTION AND DISPOSAL:
Records are destroyed or deleted when no longer needed for
administrative, legal, audit, or other operational purposes in
accordance with applicable, approved records disposition authority.
If the Archivist has not approved disposition authority for any
records covered by the system notice, the System Manager will take
immediate action to obtain an approved records disposition authority in
accordance with VA Handbook 6300.1, Records Management Procedures. The
records may not be destroyed until VA obtains an approved records
disposition authority.
SYSTEM MANAGER(S) AND ADDRESS(ES):
OPP's system manager is the Director, Data Development and Analysis
Service, (008A3), U.S. Department of Veterans Affairs, 810 Vermont
Ave., NW., Washington, DC 20420.
NOTIFICATION PROCEDURE:
An individual who wishes to determine whether a record is being
maintained in this system under his or her name or other personal
identifier, or wants to determine the contents of such record, should
submit a written request to the Director, Office of Data Development
and Analysis, (008A3), U.S. Department of Veterans Affairs, 810 Vermont
Ave., NW., Washington, DC 20420. Such requests must contain a
reasonable description of the records requested. In addition,
identification of the individual requesting the information will be
required in the written request and will minimally consist of the
requester's name, signature, social security number, address, telephone
number, and return address.
RECORD ACCESS PROCEDURES:
Individuals seeking information regarding access to and contesting
of records maintained by OPP under his or her name or other personal
identifier may write the System Manager named above and specify the
information being requested or contested.
CONTESTING RECORDS PROCEDURES:
(See Notification procedure above.)
RECORD SOURCE CATEGORIES:
Information is obtained from VHA patient medical records, various
automated record systems providing clinical and managerial support to
VA health care facilities, records from VA's Veterans Benefits
Administration, DoD, and other Federal agencies.
[FR Doc. E7-7440 Filed 4-18-07; 8:45 am]
BILLING CODE 8320-01-P