[Federal Register Volume 75, Number 91 (Wednesday, May 12, 2010)]
[Notices]
[Pages 26847-26851]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-11373]
-----------------------------------------------------------------------
DEPARTMENT OF VETERANS AFFAIRS
Privacy Act of 1974; System of Records
AGENCY: Department of Veterans Affairs (VA).
ACTION: Notice of Establishment of New System of Records.
-----------------------------------------------------------------------
SUMMARY: The Privacy Act of 1974 (5 U.S.C. 552(e) (4)) requires that
all agencies publish in the Federal Register a notice of the existence
and character of their systems of records. Notice is hereby given that
the Department of Veterans Affairs (VA) is establishing a new system of
records entitled ``Investigative Database-OMI-VA'' (162VA10MI).
DATES: Comments on this new system of records must be received no later
than June 11, 2010. If no public comment is received, the new system
will become effective June 11, 2010.
ADDRESSES: Written comments may be submitted through http://www.Regulations.gov; by mail or hand-delivery to Director, Regulations
Management (02REG), Department of Veterans Affairs, 810 Vermont Avenue,
NW., Room 1068, Washington, DC 20420; or by fax to (202) 273-9026.
Comments received will be available for public inspection in the Office
of Regulation Policy and Management, Room 1063B, between the hours of 8
a.m. and 4:30 p.m., Monday through Friday (except holidays). Please
call (202) 461-4902 (this is not a toll-free number) for an
appointment. In addition, during the comment period, comments may be
viewed online through the Federal Docket Management System (FDMS) at
http://www.Regulations.gov.
FOR FURTHER INFORMATION CONTACT: Veterans Health Administration (VHA)
Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue,
NW., Washington, DC 20420; telephone (704) 245-2492.
SUPPLEMENTARY INFORMATION:
I. Description of Proposed System of Records
The Office of the Medical Inspector (OMI) conducts two different
types of investigations for the VHA--case investigations and national
quality assessments--both of which usually involve the collection of
personal identifiable information (PII). National quality assessments
result from a specific requirement assigned by the Secretary, the Under
Secretary for Health (USH), or the Principal Deputy Under Secretary for
Health (PDUSH). The OMI may also identify critical quality of care
issues and initiate assessment projects. These assessments may include
Web-based surveys, site visits, extraction of source data from VA data
systems at the Austin Information and Technology Center, or use of the
[[Page 26848]]
many quality and performance metrics available in VHA. These projects
are characterized by systematic efforts to employ VHA data and
information to inform VHA officials about problems/issues that impact
the general quality of VA health care. Case investigations typically
focus on the care delivered to one or more Veterans within the same
Medical Center or Health Care System and include information obtained
from reviews of medical records, interviews with patients and their
families, interviews with providers, and site visits. These
investigations inevitably require gathering PII either on Veterans and
their families, or on VA employees. OMI stores this collected data in a
secure document management system.
II. Proposed Routine Use Disclosures of Data in the System
1. Disclosure may be made to a congressional office from the record
of an individual in response to an inquiry from the congressional
office that is made at the request of that individual.
Veterans Affairs must be able to provide information about
individuals to adequately respond to inquiries from Members of Congress
at the request of constituents who have sought their assistance.
2. Disclosure may be made to the National Archives and Records
Administration (NARA) and the General Services Administration (GSA) for
records management activities and inspections conducted under authority
of Title 44, Chapter 29, United States Code. National Archives and
Records Administration and General Services Administration are
responsible for management of old records no longer actively used, but
which may be appropriate for preservation, and for the physical
maintenance of the Federal government's records. Veterans Affairs must
be able to provide the records to National Archives and Records
Administration and General Services Administration in order to
determine the proper disposition of such records.
3. VA may disclose information from this system of records to the
Department of Justice (DoJ), either on VA's initiative or in response
to DoJ's request for the information, after either VA or DoJ determines
that such information is relevant to DoJ's representation of the United
States or any of its components in legal proceedings before a court or
adjudicative body, provided that, in each case, the agency also
determines prior to disclosure that release of the records to the DoJ
is a use of the information contained in the records that is compatible
with the purpose for which VA collected the records. VA, on its own
initiative, may disclose records in this system of records in legal
proceedings before a court or administrative body after determining
that the disclosure of the records to the court or administrative body
is a use of the information contained in the records that is compatible
with the purpose for which VA collected the records.
Veterans Affairs must be able to provide information to Department
of Justice in litigation where the United States or any of its
components is involved or has an interest. A determination would be
made in each instance that under the circumstances involved, the
purpose is compatible with the purpose for which Veterans Affairs
collected the information. This routine use is distinct from the
authority to disclose records in response to a court order under
subsection (b)(11) of the Privacy Act, 5 United States Code 552(b)(11),
or any other provision of subsection (b), in accordance with the
court's analysis in Doe v. DiGenova, 779 F.2d 74, 78-84 (DC Cir. 1985)
and Doe v. Stephens, 851 F.2d 1457, 1465-67 (DC Cir. 1988).
4. Any information in this system, except the name and address of a
Veteran, may be disclosed to a Federal, State, or local agency
maintaining civil or criminal violation records or other pertinent
information such as prior employment history, prior Federal employment
background investigations, and/or personal or educational background in
order for VA to obtain information relevant to the hiring, transfer, or
retention of an employee, the letting of a contract, the granting of a
security clearance, or the issuance of a grant or other benefit. The
name and address of a Veteran may be disclosed to a Federal agency
under this routine use if this information has been requested by the
Federal agency in order to respond to the VA inquiry.
5. VA may disclose on its own initiative any information in this
system, except the names and home addresses of Veterans and their
dependents, which is relevant to a suspected or reasonably imminent
violation of law, whether civil, criminal, or regulatory in nature and
whether arising by general or program statute or by regulation, rule or
order issued pursuant thereto, to a Federal, State, local, Tribal, or
foreign agency charged with the responsibility of investigating or
prosecuting such violation, or charged with enforcing or implementing
the statute, regulation, rule or order. On its own initiative, VA may
also disclose the names and addresses of Veterans and dependents to a
Federal or State agency charged with the responsibility of
investigating or prosecuting civil, criminal, or regulatory violations
of law, or charged with enforcing or implementing the statute,
regulation, rule, or order issued pursuant thereto.
Veterans Affairs must be able to provide on its own initiative
information that pertains to a violation of laws to law enforcement
authorities in order for them to investigate and enforce those laws.
Under 38 United States Code 5701(a) and (f), Veterans Affairs may only
disclose the names and addresses of veterans and their dependents to
Federal entities with law enforcement responsibilities. This is
distinct from the authority to disclose records in response to a
qualifying request from a law enforcement entity, as authorized by
Privacy Act subsection 5 United States Code 552a(b)(7).
6. To assist attorneys in representing their clients, any
information in this system may be disclosed to attorneys representing
subjects of investigations, including Veterans, Federal government
employees, retirees, volunteers, contractors, subcontractors, or
private citizens.
7. Disclosure of information to Federal Labor Relations Authority
(FLRA), including its General Counsel, when requested in connection
with the investigation and resolution of allegations of unfair labor
practices, in connection with the resolution of exceptions to
arbitrator awards when a question of material fact is raised, in
connection with matters before the Federal Service Impasses Panel, and
to investigate representation petitions and conduct or supervise
representation elections. VA must be able to provide information to
FLRA to comply with the statutory mandate under which it operates.
8. Information may be disclosed to the Equal Employment Opportunity
Commission when requested in connection with investigations of alleged
or possible discriminatory practices, examination of Federal
affirmative employment programs, compliance with the Uniform Guidelines
of Employee Selection Procedures, or other functions vested in the
Commission by the President's Reorganization Plan No. 1 of 1978. VA
must be able to provide information to EEOC to assist it in fulfilling
its duties to protect employees' rights, as required by statute
regulation.
9. Information may be disclosed to officials of the Merit Systems
Protection Board, and the Office of Special Counsel, when properly
requested in connection with appeals, special studies of the civil
service and other merit systems, reviews of rules and
[[Page 26849]]
regulations, investigation of alleged or possible prohibited personnel
practices, and such other functions, promulgated in Title 5, United
States Code, Sections 1205 and 1206, or as may be authorized by law. VA
must be able to provide information to MSPB to assist it in fulfilling
its duties as required by statute and regulation.
10. Any information in this system of records may be disclosed, in
the course of presenting evidence in or to a court, magistrate,
administrative tribunal, or grand jury, including disclosures to
opposing counsel in the course of such proceedings or in settlement
negotiations.
11. Any information in this system, except the name and address of
a Veteran, may be disclosed to Federal, State, or local professional,
regulatory, or disciplinary organizations or associations, including
but not limited to bar associations, State licensing boards, and
similar professional entities, for use in disciplinary proceedings and
inquiries preparatory thereto, where VA determines that there is good
cause to question the legality or ethical propriety of the conduct of a
person employed by VA or a person representing a person in a matter
before VA.
The name and address of a Veteran may be disclosed to a Federal
agency under this routine use if this information has been requested by
the Federal agency in order to respond to the VA inquiry.
12. VA may disclose information to individuals, organizations,
private or public agencies, or other entities with which VA has a
contract or agreement or where there is a subcontract to perform such
services as VA may deem practicable for the purposes of laws
administered by VA, in order for the contractor or subcontractor to
perform the services of the contract or agreement. This routine use,
which also applies to agreements that do not qualify as contracts
defined by Federal procurement laws and regulations, is consistent with
Office of Management and Budget guidance in Office of Management and
Budget Circular A-130, App. I, paragraph 5a(1)(b) that agencies
promulgate routine uses to address disclosure of Privacy Act-protected
information to contractors in order to perform the services contracts
for the agency.
13. Disclosure to other Federal agencies may be made to assist such
agencies in preventing and detecting possible fraud or abuse by
individuals in their operations and programs.
This routine use permits disclosures by the Department to report a
suspected incident of identity theft and provide information and/or
documentation related to or in support of the reported incident.
14. Disclosure of any information within this system may be made
when it is suspected or confirmed that the security or confidentiality
of information in the system of records has been compromised and VA has
determined that as a result of the suspected or confirmed compromise
there is a risk of harm to economic or property interest, identity
theft or fraud, or harm to the security or integrity of this system or
other systems or programs (whether maintained by VA or another agency
or entity) that rely upon the compromised information; and the
disclosure is made to such agencies, entities, and persons who are
reasonably necessary to assist in connection with VA's efforts to
respond to the suspected or confirmed compromise and prevent, minimize,
or remedy such harm.
This routine use permits disclosures by the Department to respond
to a suspected or confirmed data breach, including the conduct of any
risk analysis or provision of credit protection services as provided in
38 United States Code 5724, as the terms are defined in 38 United
States Code 5727.
III. Compatibility of the Proposed Routine Uses
The notice of intent to publish an advance copy of the system
notice have been sent to the appropriate Congressional committees and
to the Director of the Office of Management and Budget (OMB) as
required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB
(65 FR 77677), December 12, 2000.
Approved: April 15, 2010.
John R. Gingrich,
Chief of Staff, Department of Veterans Affairs.
162VA10MI
SYSTEM NAME:
Investigative Database-OMI-VA.
SYSTEM LOCATION:
The main Office of the Medical Inspector (OMI) records are
maintained in secure files within the OMI and indexed on a secure
document management server within the VA Central Office firewall.
Additional records are maintained by VA's Austin Automation Center,
1615 Woodward Street, Austin, Texas 78772, and subject to their
security control.
Categories of individuals covered by the system:
The records contain information for individuals (1) Receiving
health care from the Veterans Health Administration (VHA), and (2)
Providing the health care. Individuals encompass Veterans and their
immediate family members, members of the armed services, current and
former employees, trainees, contractors, sub-contractors, consultants,
volunteers, and other individuals working collaboratively with VA.
Categories of records in the system:
The records may include information and health information related
to: 1. Patient medical record abstract information including
information from Patient Medical Record--VA (24VA19); 2. Identifying
information (e.g., name, birth date, death date, admission date,
discharge date, gender, Social Security Number, taxpayer identification
number); address information (e.g., home and/or mailing address, home
and/or cell telephone number, emergency contact information such as
name, address, telephone number, and relationship); prosthetic and
sensory aid serial numbers; medical record numbers; integration control
numbers; information related to medical examination or treatment (e.g.,
location of VA medical facility providing examination or treatment,
treatment dates, medical conditions treated or noted on examination);
information related to military service and status; 3. Medical benefit
and eligibility information; 4. Patient aggregate workload data such as
admissions, discharges, and outpatient visits; resource utilization
such as laboratory tests, x rays, and prescriptions; 5. Patient
Satisfaction Survey Data which include questions and responses; 6. Data
capture from various VA databases. According to VHA Directive 2006-042
of June 27, 2006, ``Cooperation with the Office of the Medical
Inspector'' Paragraph 4 a., ``OMI, as a component of VHA, has legal
authority under applicable Federal privacy laws and regulations to
access and use any information, including health information,
maintained in VHA records for the purposes of health care operations
and health care oversight;'' and 7. Documents and reports produced and
received by OMI in the course of its investigations.
Authority for maintenance of the system:
Title 38, United States Code, Section 501.
PURPOSE(S):
The records and information of this database may be used to
document the investigative activities of the OMI; to perform
statistical analysis to produce
[[Page 26850]]
various management and follow-up reports; and to monitor the activities
of Medical Centers in fulfilling action plans developed in response to
OMI reports. The data may be used for VA's extensive quality
improvement programs in accordance with VA policy. In addition, the
data may be used for law enforcement investigations. Survey data will
be collected for the purpose of measuring and monitoring various
aspects and outcomes of National, Veterans Integrated Service Network
(VISN) and Facility-Level performance. Results of the survey data
analysis are shared throughout the VHA system.
Routine uses of records maintained in the system, including categories
of users and the purposes of such uses:
To the extent that records contained in the system include
information protected by 45 CFR Parts 160 and 164, i.e., individually
identifiable health information, and 38 U.S.C. 7332, i.e., medical
treatment information related to drug abuse, alcoholism or alcohol
abuse, sickle cell anemia or infection with the human immunodeficiency
virus, that information cannot be disclosed under a routine use unless
there is also specific statutory authority in 38 U.S.C. 7332 and
regulatory authority in 45 CFR Parts 160 and 164 permitting disclosure.
1. Disclosure may be made to a congressional office from the record
of an individual in response to an inquiry from the congressional
office that is made at the request of that individual.
2. Disclosure may be made to the National Archives and Records
Administration (NARA) and the General Services Administration for
records management activities and inspections conducted under authority
of Title 44, Chapter 29, United States Code.
3. VA may disclose information from this system of records to the
Department of Justice (DoJ), either on VA's initiative or in response
to DoJ's request for the information, after either VA or DoJ determines
that such information is relevant to DoJ's representation of the United
States or any of its components in legal proceedings before a court or
adjudicative body, provided that, in each case, the agency also
determines prior to disclosure that release of the records to DoJ is a
use of the information contained in the records that is compatible with
the purpose for which VA collected the records. VA, on its own
initiative, may disclose records in this system of records in legal
proceedings before a court or administrative body after determining
that the disclosure of the records to the court or administrative body
is a use of the information contained in the records that is compatible
with the purpose for which VA collected the records.
4. Any information in this system, except the name and address of a
Veteran, may be disclosed to a Federal, State, or local agency
maintaining civil or criminal violation records or other pertinent
information such as prior employment history, prior Federal employment
background investigations, and/or personal or educational background in
order for VA to obtain information relevant to the hiring, transfer, or
retention of an employee, the letting of a contract, the granting of a
security clearance, or the issuance of a grant or other benefit. The
name and address of a Veteran may be disclosed to a Federal agency
under this routine use if this information has been requested by the
Federal agency in order to respond to the VA inquiry.
5. VA may disclose on its own initiative any information in this
system, except the names and home addresses of Veterans and their
dependents, which is relevant to a suspected or reasonably imminent
violation of law, whether civil, criminal, or regulatory in nature and
whether arising by general or program statute or by regulation, rule or
order issued pursuant thereto, to a Federal, State, local, Tribal, or
foreign agency charged with the responsibility of investigating or
prosecuting such violation, or charged with enforcing or implementing
the statute, regulation, rule or order. On its own initiative, VA may
also disclose the names and addresses of Veterans and dependents to a
Federal or State agency charged with the responsibility of
investigating or prosecuting civil, criminal, or regulatory violations
of law, or charged with enforcing or implementing the statute,
regulation, rule, or order issued pursuant thereto.
6. To assist attorneys in representing their clients, any
information in this system may be disclosed to attorneys representing
subjects of investigations, including Veterans, Federal government
employees, retirees, volunteers, contractors, subcontractors, or
private citizens.
7. Disclosure of information to Federal Labor Relations Authority
(FLRA), including its General Counsel, when requested in connection
with the investigation and resolution of allegations of unfair labor
practices, in connection with the resolution of exceptions to
arbitrator awards when a question of material fact is raised, in
connection with matters before the Federal Service Impasses Panel, and
to investigate representation petitions and conduct or supervise
representation elections.
8. Information may be disclosed to the Equal Employment Opportunity
Commission when requested in connection with investigations of alleged
or possible discriminatory practices, examination of Federal
affirmative employment programs, compliance with the Uniform Guidelines
of Employee Selection Procedures, or other functions vested in the
Commission by the President's Reorganization Plan No. 1 of 1978.
9. Information may be disclosed to officials of the Merit Systems
Protection Board, and the Office of Special Counsel, when properly
requested in connection with appeals, special studies of the civil
service and other merit systems, reviews of rules and regulations,
investigation of alleged or possible prohibited personnel practices,
and such other functions, promulgated in Title 5, United States Code,
Sections 1205 and 1206, or as may be authorized by law.
10. Any information in this system of records may be disclosed, in
the course of presenting evidence in or to a court, magistrate,
administrative tribunal, or grand jury, including disclosures to
opposing counsel in the course of such proceedings or in settlement
negotiations.
11. Any information in this system, except the name and address of
a Veteran, may be disclosed to Federal, State, or local professional,
regulatory, or disciplinary organizations or associations, including
but not limited to bar associations, State licensing boards, and
similar professional entities, for use in disciplinary proceedings and
inquiries preparatory thereto, where VA determines that there is good
cause to question the legality or ethical propriety of the conduct of a
person employed by VA or a person representing a person in a matter
before VA. The name and address of a Veteran may be disclosed to a
Federal agency under this routine use if this information has been
requested by the Federal agency in order to respond to the VA inquiry.
12. VA may disclose information to individuals, organizations,
private or public agencies, or other entities with which VA has a
contract or agreement or where there is a subcontract to perform such
services as VA may deem practicable for the purposes of laws
administered by VA, in order for the contractor or subcontractor to
perform the services of the contract or agreement.
13. Disclosure to other Federal agencies may be made to assist such
agencies in preventing and detecting possible fraud or abuse by
individuals in their operations and programs.
[[Page 26851]]
14. Disclosure of any information within this system may be made
when it is suspected or confirmed that the security or confidentiality
of information in the system of records has been compromised and VA has
determined that as a result of the suspected or confirmed compromise
there is a risk of harm to economic or property interest, identity
theft or fraud, or harm to the security or integrity of this system or
other systems or programs (whether maintained by VA or another agency
or entity) that rely upon the compromised information; and the
disclosure is made to such agencies, entities, and persons who are
reasonably necessary to assist in connection with VA's efforts to
respond to the suspected or confirmed compromise and prevent, minimize,
or remedy such harm.
Policies and practices for storing, retrieving, accessing, retaining,
and disposing of records in the system:
Storage:
Records are maintained on paper and on electronic storage media,
including magnetic tape, disk, encrypted flash memory, and laser
optical media.
Retrievability:
Records are retrieved by name, Social Security Number, or other
assigned identifiers of the individuals on whom they are maintained.
Safeguards:
1. Access to and use of national patient databases are limited to
those persons whose official duties require such access, and VA has
established security procedures to ensure that access is appropriately
limited. Information security officers and system data stewards review
and authorize data access requests. VA regulates data access with
security software that authenticates users and requires individually
unique codes and passwords. VA provides information security training
to all staff and instructs staff on the responsibility each person has
for safeguarding data confidentiality.
2. VA maintains Business Associate Agreements (BAA) and Non-
Disclosure Agreements with contracted resources in order to maintain
confidentiality of the information.
3. Physical access to computer rooms housing national patient
databases is restricted to authorized staff and protected by a variety
of security devices. Unauthorized employees, contractors, and other
staff are not allowed in computer rooms. The Federal Protective Service
or other security personnel provide physical security for the buildings
housing computer rooms and data centers.
4. All materials containing real or scrambled Social Security
Numbers are kept only on secure, encrypted VHA servers, personal
computers, laptops, or media. All e-mail transmissions of such files
use Public Key Infrastructure (PKI) encryption. If a recipient does not
have PKI, items are mailed or sent to a secure fax. Paper records
containing Social Security Numbers are secured in locked cabinets or
offices within the OMI area. Access to OMI requires passing a security
officer, an elevator card reader for floor access and a separate VHA
card reader for access to the office area. All materials, both paper
and electronic, that are no longer required are shredded/obliterated in
accordance with VHA guidelines. Materials required for case
documentation and follow up are archived in our secure document
management server (electronic) and in locked storage (paper).
5. In most cases, copies of back-up computer files are maintained
at off-site locations.
Retention and disposal:
The records are disposed of in accordance with Section XXXV--Office
of the Medical Inspector (10MI) of the Veterans Health Administration
Records Control Schedule 10-1 of March 31, 2008, which stipulates that
records from investigations not involving site visits will be destroyed
10 years after closure; records from investigations involving site
visits will be destroyed 20 years after closure.
System manager(s) and address:
Official responsible for policies and procedures; Chief Information
Officer (19), Department of Veterans Affairs, 810 Vermont Avenue, NW.,
Washington, DC 20420. Official maintaining this system of records:
Donald L. Martin, Correspondence Analyst, OMI (10MI), 810 Vermont
Avenue, NW., Washington, DC 20420.
Notification procedure:
Individuals who wish to determine whether this system of records
contains information about them should contact Donald L. Martin,
Correspondence Analyst, OMI (10MI), 810 Vermont Avenue, NW.,
Washington, DC 20420. Inquiries should include the person's full name,
Social Security number, location and dates of employment or location
and dates of treatment, and return address.
Record access procedure:
Individuals seeking information regarding access to and contesting
of records in this system may write or call Donald L. Martin,
Correspondence Analyst, OMI (10MI), 810 Vermont Avenue, NW.,
Washington, DC 20420, 202-461-4079.
Contesting record procedures:
(See Record Access Procedures above.)
Record source categories:
Information in this system of records is provided by Veterans, VA
employees, VA computer systems, Veterans Health Information Systems and
Technology Architecture (VistA), VA medical centers, VA Health
Eligibility Center, VA program offices, VISNs, VA Austin Automation
Center, the Food and Drug Administration, the Department of Defense,
Survey of Healthcare Experiences of Patients, External Peer Review
Program, and the following Systems Of Records: ``Patient Medical
Records--VA'' (24VA19), ``National Prosthetics Patient Database--VA''
(33VA113), ``Healthcare Eligibility Records--VA'' (89VA16), VA Veterans
Benefits Administration automated record systems (including the
Veterans and Beneficiaries Identification and Records Location
Subsystem--VA (38VA23), and subsequent iterations of those systems of
records.
[FR Doc. 2010-11373 Filed 5-11-10; 8:45 am]
BILLING CODE 8320-01-P