[Federal Register Volume 75, Number 221 (Wednesday, November 17, 2010)]
[Notices]
[Pages 70365-70369]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-28950]
-----------------------------------------------------------------------
DEPARTMENT OF VETERANS AFFAIRS
Privacy Act Of 1974; System of Records
AGENCY: Department of Veterans Affairs (VA).
ACTION: Notice of Amendment to System of Records.
-----------------------------------------------------------------------
SUMMARY: As required by the Privacy Act of 1974, 5 U.S.C. 552a(e),
notice is hereby given that the Department of Veterans Affairs (VA) is
amending the system of records currently entitled ``My HealtheVet
Administrative Records--VA'' 130VA19 as set forth in the Federal
Register 193 FR 59991. VA is amending the system by revising the
Routine Uses of Records Maintained in the System and the Categories of
Records in the System, Location, and Purpose. VA is republishing the
system notice in its entirety.
DATES: Comments on the amendment of this system of records must be
received no later than December 17, 2010. If no public comment is
received, the amended system will become effective December 17, 2010.
ADDRESSES: Written comments may be submitted through http://www.Regulations.gov; by mail or hand-delivery to Director, Regulations
Management (02REG), Department of Veterans Affairs, 810 Vermont Avenue,
NW., Room 1068, Washington, DC 20420; or by fax to (202) 273-9026.
Comments received will be available for public inspection in the Office
of Regulation Policy and Management, Room 1063B, between the hours of 8
a.m. and 4:30 p.m., Monday through Friday (except holidays). Please
call (202) 461-4902 (this is not a toll-free number) for an
appointment. In addition, during the comment period, comments may be
viewed online through the Federal Docket Management System (FDMS) at
http://www.Regulations.gov.
FOR FURTHER INFORMATION CONTACT: Veterans Health Administration (VHA)
Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue,
NW., Washington, DC 20420; telephone (704) 245-2492.
SUPPLEMENTARY INFORMATION:
Background: My HealtheVet (MHV) is a web-based personal health
record
[[Page 70366]]
system that provides Veterans with information and tools that they can
use to increase their knowledge about health conditions, increase
communication with their care providers and improve their own health.
Level one Veterans (who have a MHV account hosted behind the VA
firewall which follows VA approved guidelines for user name and strong
password) are able to access health education tools and resources,
create and maintain a secure comprehensive personal health record, and
request VA prescription refills online. Authenticated level two
Veterans are able to receive electronic copies of their health
information, view VA wellness reminders, communicate with their
providers through secure messaging, and access a number of other
functions and options related to their health maintenance and health
information. VA also provides, through a web-based environment, a
secure and private health space where Veterans can enter their own
personal and medical information in a ``self-entered'' health
information section.
Electronic copies of health information are not considered VA
authoritative records, nor are they considered part of the VA system of
records once they are downloaded into the Veteran's secure and private
health space. The Veteran's self-entered health information is also
owned and maintained by the Veteran in the My HealtheVet secure and
private health space and is not by itself a part of the VA's system of
records. This self-entered health information may be included in the
Veteran's official VA electronic health record upon the Veteran's
request and/or upon VA's determination that it is appropriate to
include it in the official medical record.
Certain applications of My HealtheVet may generate or result in
data and information that is included in another VA system of records,
such as secure messages which are generated from the My HealtheVet
application but are included in 24VA19 system of records due to the
potential for clinically relevant information to be contained within a
secure message. Administrative data associated with such applications
will be included in the My HealtheVet Administrative Records--VA system
of records.
Certain applications of My HealtheVet may interface with other VA
maintained programs or applications to allow communication from the
Veteran to the specific application or program, such as eBenefits
applications, a VA/DoD joint portal. Certain administrative data may be
maintained by My HealtheVet as a result of these applications or
exchanges; however, the VA maintained program or application receiving
the information will maintain the authoritative information of record.
My HealtheVet may also be used, upon permission from the Veteran,
as a Health Information Exchange point, between a VA approved agency or
organization and the Veteran's personal health record.
VA does not provide access to the Veteran's personal health
information maintained in My HealtheVet in any situation, including
medical emergency situations. If a non-VA health care provider requires
information from VA medical records to treat a Veteran patient, the
non-VA health care provider must obtain the Veteran's consent to
release information and contact the VA facility where the Veteran
patient was last treated to obtain information.
Delegation of My HealtheVet will allow Veterans to share all or
part of the information in their account with other individuals that
they designate, such as family members, and VA and non-VA health care
providers.
In order to administer the My HealtheVet program and support the
provision of the above benefits to Veterans, VHA retains administrative
information, including personally identifiable information on users of
My HealtheVet. In addition, VHA houses the patient's self-entered
information in a separate database, but the administrative and patient
data files can be linked. This administrative information is stored in
the My HealtheVet Administrative Records System, and constitutes a
separate system of records.
I. Description of Proposed System of Records
The My HealtheVet Administrative Records System contains
administrative information created or collected during the course of
operating My HealtheVet, and is provided by Veterans and other
qualified individuals, their delegates and grantees, Veterans Health
Information Systems and Technology Architecture (VistA) IT systems, VA
employees, contractors, and subcontractors. At this time, the My
HealtheVet program is planning to maintain minimal administrative
records at each local facility, while maintaining more comprehensive
administrative records at a central location, VA National Data Center
or VA Health Data Warehouse Repository. The records kept locally
support the local VA My HealtheVet training programs and applications,
and VA's annual reporting requirements under the Freedom of Information
Act (FOIA) for those Veterans who request electronic access to copies
of key portions of their health records.
The more comprehensive repository of administrative information is
maintained at a central location. This information is used to support
My HealtheVet electronic services, such as requests for prescription
refill, co-payment and appointment information, entry of personal
health metrics, and Veteran requests for electronic copies of their
health information. This information may also be used for business
administrative reports for system operators and VA managers to ensure
that the My HealtheVet system is meeting performance expectations and
being used within legal boundaries.
The information needed to support My HealtheVet program activities
and electronic services includes such information as: the person's full
name; My HealtheVet User ID; date of birth; e-mail address; telephone
number; social security number; mother's maiden name; zip code; place
and date of registration for My HealtheVet electronic record access;
delegate and grantee user IDs associated with My HealtheVet users;
level of access to My HealtheVet electronic services; date and type of
transaction; patient integration control number (ICN); and other
administrative data needed for My HealtheVet roles and services.
II. Proposed Routine Use Disclosures of Data in the System
We are proposing to establish the following Routine Use disclosures
of information maintained in the system:
6. Disclosure to other Federal agencies may be made to assist such
agencies in preventing and detecting possible fraud or abuse by
individuals in their operations and programs.
This routine use permits disclosures by the Department to report a
suspected incident of identity theft and provide information or
documentation related to or in support of the reported incident.
7. VA may, on its own initiative, disclose any information or
records to appropriate agencies, entities, and persons when (1) VA
suspects or has confirmed that the integrity or confidentiality of
information in the system of records has been compromised; (2) the
Department has determined that as a result of the suspected or
confirmed compromise, there is a risk of embarrassment or harm to the
reputations of the record subjects, harm to economic or property
interests, identity theft or fraud, or harm to the security,
confidentiality, or integrity of this system or other systems or
programs (whether maintained by the
[[Page 70367]]
Department or another agency or disclosure is to agencies, entities, or
persons whom VA determines are reasonably necessary to assist or carry
out the Department's efforts to respond to the suspected or confirmed
compromise and prevent, minimize, or remedy such harm. This routine use
permits disclosures by the Department to respond to a suspected or
confirmed data breach, including the conduct of any risk analysis or
provision of credit protection services as provided in 38 U.S.C. 5724,
as the terms are defined in 38 U.S.C. 5727.
8. Disclosure of administrative data including information about My
HealtheVet use and user transactions accomplished via the Web site may
be provided to approved VA research investigators with VA Institutional
Review Board (IRB) approval. Disclosure of this information to research
investigators will allow VA to evaluate the value of the My HealtheVet
for purposes of system modification and improvement, and for purposes
of promoting patient self-management of health and improved health
outcomes.
III. Compatibility of the Proposed Routine Uses
The Privacy Act permits VA to disclose information about
individuals without their consent for a routine use when the
information, in this case administrative information, will be used for
a purpose that is compatible with the purpose for which VA collected
it. In all of the routine use disclosures described above, either the
recipient of the administrative information will use the information in
connection with the My HealtheVet program, a matter relating to one of
VA's programs to provide a benefit to VA, or to meet legal requirements
for disclosure.
The Report of Intent to Amend a System on Records Notice and an
advance copy of the system notice have been sent to the appropriate
Congressional committees and to the Director of the Office of
Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy
Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.
Approved: November 1, 2010.
John R. Gingrich,
Chief of Staff, Department of Veterans Affairs.
130VA19
SYSTEM NAME:
``My HealtheVet Administrative Records--VA''
SYSTEM LOCATION:
Veterans Health Administration (VHA) local facilities, VA National
Data Centers, and VA Health Data Repository (HDR) located at the VA
National Data Centers. Address locations for VA facilities are listed
in VA Appendix 1 of the biennial publications of the VA systems of
records.
Categories of individuals covered by the system:
Individuals covered encompass: (1) All individuals who successfully
register for a My HealtheVet account and whose identity has been
verified; (2) Representatives of the above individuals who have been
provided grantee or delegate access to My HealtheVet including, but not
limited to, family members, friends, or VA and non-VA health care
providers; (3) VA health care providers and certain administrative
staff; (4) VHA Information Technology (IT) staff and/or their approved
contractors who may need to enter identifying, administrative
information into the system to initiate, support and maintain
electronic services for My HealtheVet participants; and (5) VA
researchers fulfilling VA required authorization procedures.
Categories of records in the system:
The records include personally identifiable information, such as an
individual's full name; My HealtheVet User Identifier (ID); date of
birth; social security number; e-mail address; telephone number;
mother's maiden name; ZIP code; place and date of registration for My
HealtheVet; delegate and grantee user IDs associated with My HealtheVet
accounts; level of access to My HealtheVet electronic services; date
and type of transaction; web analytics for the purpose of monitoring
site usage, patient internal control number (ICN); and other
administrative data needed for My HealtheVet roles and services.
Authority for maintenance of the system:
Title 38, United States Code, Sec. 501.
PURPOSE(S):
The information in the My HealtheVet Administrative Records is
needed to operate the My HealtheVet program, including but not limited
to registration and verification of the Veteran's identity or to
register and authenticate those who have legal authority to participate
in lieu of the Veteran, to assign and verify administrators of the My
HealtheVet portal, to retrieve the Veteran's information to perform
specific functions, allow access to specific information and provide
other associated My HealtheVet electronic services in current and
future applications of the My HealtheVet program. The administrative
information may also be used to create administrative business reports
for system operators and VA managers who are responsible for ensuring
that the My HealtheVet system is meeting performance expectations, and
is in compliance with applicable Federal laws and regulations.
Administrative information may also be used for evaluation to support
program improvement, including VA approved research studies.
Routine uses of records maintained in the system, including categories
of users and the purposes of such uses:
To the extent that records contained in the system include
information protected by 45 CFR Parts 160 and 164, i.e., individually
identifiable health information, and 38 U.S.C. 7332, i.e., medical
treatment information related to drug abuse, alcoholism or alcohol
abuse, sickle cell anemia or infection with the human immunodeficiency
virus, that information cannot be disclosed under a routine use unless
there is also specific statutory authority in 38 U.S.C. 7332 and
regulatory authority in 45 CFR Parts 160 and 164 permitting disclosure.
1. Disclosure of information in this system of records may be made
to private or public sector organizations, individuals, agencies, etc.,
with whom VA has a contract or agreement, including subcontractors, in
order to administer the My HealtheVet program, or perform other such
services as VA deems appropriate and practical for the purposes of
administering VA laws.
2. VA may disclose on its own initiative any information in the
system, except the names and home addresses of Veterans and their
dependents, that is relevant to a suspected or reasonably imminent
violation of the law whether civil, criminal, or regulatory in nature
and whether arising by general or program statute or by regulation,
rule, or order issued pursuant thereto, to a Federal, state, local,
tribal, or foreign agency charged with the responsibility of
investigating or prosecuting such violation, or charged with enforcing
or implementing the statute, regulation, rule, or order. VA may also
disclose on its own initiative the names and addresses of veterans and
their dependents to a Federal agency charged with the responsibility of
investigating or prosecuting civil, criminal, or regulatory violations
of law, or charged with enforcing or implementing the statute,
regulation, or order issued pursuant thereto.
[[Page 70368]]
3. Disclosure may be made to National Archives and Records
Administration (NARA) and the General Services Administration (GSA) to
support its records management inspections responsibilities and its
role as Archivist of the United States under authority of title 44
United States Code (U.S.C).
4. Any information in this system of records may be disclosed to
the United States Department of Justice or United States Attorneys in
order to prosecute or defend litigation involving or pertaining to the
United States, or in which the United States has an interest.
5. Disclosure may be made to a congressional office from the record
of an individual in response to an inquiry from the congressional
office made at the request of that individual.
6. Disclosure to other Federal agencies may be made to assist such
agencies in preventing and detecting possible fraud or abuse by
individuals in their operations and programs.
7. Disclosure of information may be made when (1) it is suspected
or confirmed that the integrity or confidentiality of information in
the system of records has been compromised; (2) the Department has
determined that as a result of the suspected or confirmed compromise
there is a risk of embarrassment or harm to the reputations of the
record subjects, harm to economic or property interests, identity theft
or fraud, or harm to the security or integrity of this system or other
systems or programs (whether maintained by the Department or another
agency or entity) that rely upon the compromised information; and (3)
the disclosure is to agencies, entities, and persons whom VA determines
are reasonably necessary to assist or carry out the Department's
efforts to respond to the suspected or confirmed compromise and
prevent, minimize, or remedy such harm. This routine use permits
disclosure by the Department to respond to a suspected or confirmed
data breach, including the conduct of any risk analysis or confirmed
data breach, including the conduct of any risk analysis or provision of
credit protection services as provided in 38 U.S.C. 5724, as the terms
are defined in 38 U.S.C. 5727.
8. Disclosure of information may be made to VA to approved
researchers to enhance, advance and promote both the function and the
content of the My HealtheVet application.
Policies and practices for storing, retrieving, accessing, retaining,
and disposing of records in the system:
Storage:
These administrative records are maintained on paper and electronic
media, including hard drive disks, which are backed up to tape at
regular intervals.
Retrievability:
Records may be retrieved by an individual's name, user ID, date of
registration for My HealtheVet electronic services, zip code, the VA
assigned ICN, date of birth and/or social security number, if provided.
Safeguards:
1. Access to and use of the My HealtheVet Administrative Records
are limited to those persons whose official duties require such access;
VA has established security procedures to ensure that access is
appropriately limited. Information security officers and system data
stewards review and authorize data access requests. VA regulates data
access with security software that authenticates My HealtheVet
administrative users and requires individually unique codes and
passwords. VA provides information security training to all staff and
instructs staff on the responsibility each person has for safeguarding
data confidentiality. VA regularly updates security standards and
procedures that are applied to systems and individuals supporting this
program.
2. Physical access to computer rooms housing the My HealtheVet
Administrative Records is restricted to authorized staff and protected
by a variety of security devices. Unauthorized employees, contractors,
and other staff are not allowed in computer rooms. The Federal
Protective Service or other security personnel provide physical
security for the buildings housing computer systems and data centers.
3. Data transmissions between operational systems and My HealtheVet
Administrative Records maintained by this system of records are
protected by telecommunications software and hardware as prescribed by
VA standards and practices. This includes firewalls, encryption, and
other security measures necessary to safeguard data as it travels
across the VA-Wide Area Network.
4. Copies of back-up computer files are maintained at secure off-
site locations.
Retention and disposal:
Records are maintained and disposed of in accordance with the
records disposition authority approved by the Archivist of the United
States. Records from this system that are needed for audit purposes
will be disposed of 6 years after a user's account becomes inactive.
Routine records will be disposed of when the agency determines they are
no longer needed for administrative, legal, audit, or other operational
purposes. These retention and disposal statements are pursuant to NARA
General Records Schedules GRS 20, item 1c and GRS 24, item 6a.
System manager(S) and address:
Official responsible for policies and procedures: Deputy Chief
Information Officer for Health (19), Department of Veterans Affairs,
810 Vermont Avenue, NW., Washington, DC 20420. Officials maintaining
this system of records: The local VA facility (Address locations for VA
facilities are listed in VA Appendix 1 of the biennial publications of
the VA systems of records) and the Chief, Technical Infrastructure
Division (31), Austin Automation Center, 1615 Woodward Street, Austin,
Texas 78772.
Notification procedure:
Individuals who wish to determine whether a record is being
maintained under their name in this system or wish to determine the
contents of such records have two options:
1. Submit a written request or apply in person to the VA facility
where the records are located. VA facility location information can be
found in the Facilities Locator section of VA's Web site at http://www.va.gov; or
2. Submit a written request or apply in person to the Chief of the
Technical Infrastructure Division (31), Austin Automation Center, 1615
Woodward Street, Austin, Texas 78772.
Inquiries should include the person's full name, user ID, date of
birth and return address.
Record access procedure:
Individuals seeking information regarding access to and contesting
of records in this system may write or call their local VA facility
and/or the Chief of the Technical Infrastructure Division (31), Austin
Automation Center, 1615 Woodward Street, Austin, Texas 78772, or call
(512) 326-6780 to reach the VA Austin Automation Center Help Desk speak
with the Chief of the Technical Infrastructure Division.
Contesting record procedures:
(See Record Access Procedures above).
Record source categories:
The sources of information for this system of records include the
[[Page 70369]]
individuals covered by this notice and an additional contributor, as
listed below:
(1) All individuals who successfully register for a My HealtheVet
account;
(2) Representatives of the above individuals who have been provided
access to the private health space by the Veteran user, including but
not limited to, family members, friends, or VA and non-VA health care
providers;
(3) VA health care providers;
(4) VHA IT staff and/or their contractors and subcontractors who
may need to enter information into the system to initiate, support and
maintain My HealtheVet electronic services for My HealtheVet users;
(5) VistA systems and
(6) VA researchers fulfilling VA required authorization procedures
(see VHA Handbook 1200.01 http://www1.va.gov/vhapublications/ViewPublication.asp?pub_ID=2038).
[FR Doc. 2010-28950 Filed 11-16-10; 8:45 am]
BILLING CODE 8320-01-P