Privacy Act of 1974; System of Records

AGENCY:

Department of Veterans Affairs (VA).

ACTION:

Notice of amendment to system of records.

SUMMARY:

As required by the Privacy Act of 1974, 5 U.S.C. 552a(e), notice is hereby given that the Department of Veterans Affairs (VA) is amending the system of records currently entitled “Patient Medical Records-VA” (24VA136) as set forth in the Federal Register 56 FR 6048. VA is amending the system by revising the System Number, the System Location, Categories of Records in the System, Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses, Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System, and System Manager(s) and Address. VA is republishing the system notice in its entirety.

DATES:

Comments on the amendment of this system of records must be received no later than May 7, 2004. If no public comment is received, the amended system will become effective May 7, 2004.

ADDRESSES:

You may mail or hand-deliver written comments concerning the proposed amended system of records to the Director, Regulations Management (00REG1), Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420; or fax comments to (202) 273-9026; or e-mail comments to “OGCRegulations@mail.va.gov”. All relevant material received before May 7, 2004 will be considered. Comments will be available for public inspection at the above address in the Office of Regulations Management, Room 1063B, between the hours of 8 a.m. and 4:30 p.m., Monday through Friday (except holidays).

FOR FURTHER INFORMATION CONTACT:

Veterans Health Administration (VHA) Privacy Act Officer, Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420; telephone (727) 320-1839.

SUPPLEMENTARY INFORMATION:

The System number is changed from 24VA136 to 24VA19 to reflect the current organizational alignment.

The System Location is amended to reflect current organization structure with Veterans Integrated Service Network Offices having replaced Regional Director Offices. The System Location is also amended to reflect the transition from maintaining paper medical records to computerized medical records. This includes computerized medical record data stored in the VA Health Data Repository (HDR). The HDR is defined as a repository of clinical information normally residing on one or more independent platforms for use by clinicians and other personnel in support of longitudinal patient-centric care. Data will be organized in a format that supports the clinical decision-making process requisite to patient care, independent of the physical location of that patient information. The key objective of the HDR project is the ability to create a composite, portable, legal medical record that will enable providers to obtain integrated data views (computable views) and acquire the patient-specific clinical information needed to support treatment decisions. Initially, data from existing Veterans Health Information Systems and Technology Architecture (VistA) systems will be used to populate the HDR. Thus, current VistA files (and the service processes using the files) will continue to be used. As VistA files and processes are replaced by commercial off-the shelf (COTS) applications, data will be mapped from these new locations. The HDR functionality will include notifications, clinical reminders, decision support, and alerts. The HDR will be located at the VA National Data Centers. Addresses of VA facilities are removed from the System Location and can be found in Appendix 1 of the biennial publication of the VA Privacy Act Issuances.

Categories of Records in the System are amended to remove specific titles of VA databases, as these are included in the VA National Database system of records. As of August 1992, paper perpetual medical records, which included the applications(s) for medical benefits, hospital summary(ies), operation report(s), and tissue examinations(s) for all episodes of care, and if applicable, autopsy reports and certain Freedom of Information and Privacy Acts related records, are no longer created or maintained at VHA facilities. VHA facilities retire the complete paper medical record to a Federal Records Center after three years of inactivity in accordance with Records Control Schedule (RCS) 10-1.

Authority for Maintenance of the System is amended to reflect current code section numbers after 38 U.S.C. was re-codified by Congress.

Purpose(s) are amended to reflect how health information will be shared with government and private sector health care organizations.

Generally, routine use disclosures are amended to reflect plain language. Further, routine uses are amended to provide consistency with the Department of Health and Human Services Health Insurance Portability and Accountability Act (HIPAA) standards for Privacy, including re-phrasing “medical record data” or “medical care” to individually-identifiable health care information.

Routine uses with minor edits for plain language will not be further enumerated. Former Routine uses 9, 21, 22, 25, 29 and 30 provided for disclosures relative to patient financial obligations, unpaid debts, and matching programs with other federal agencies to identify veterans who have indebtedness to the United States by virtue of participation in a VA benefits program are deleted. This information or routine disclosures from 24VA136 to discover indebtedness information are incorporated into the new VA System of Records, 114VA16, “The Revenue Program—Billing and Collections Records—VA” which has been created to cover these disclosures.

Routine use number 3 has been amended in its entirety. On its own initiative, VA may disclose information, except for the names and home addresses of veterans and their dependents, to a Federal, state, local, tribal or foreign agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto. On its own initiative, VA may also disclose the names and addresses of veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto.

VA must be able to comply with the requirements of agencies charged with enforcing the law and conducting investigations. VA must also be able to provide information to state or local agencies charged with protecting the public's health as set forth in state law.

Routine use number 4 has been amended to delete the phrase “the letting of a contract” as it no longer applies to this routine use. Also, the phrase “as required by law” has been added to “the hiring or retention of an employee and the issuance of a security clearance as required by law”

Former routine use number 5 is deleted from this system of records. Upon review, it has been determined that this routine use is no longer applicable to this system and, as such, is no longer required.

Former routine uses 23 and 24 are deleted as they were invalidated by two court cases, Doe v. DiGenova, § 779 F. 2d 74(D.C. Cir. 1985) and Doe v. Stephens, § 854 F.2d. 14517(D.C. Cir. 1988).

The remaining routine uses are re-numbered due to above deletions.

Routine use 13, formerly 15, is amended to reflect VA's cabinet status by substituting the current title, Under Secretary for Health for Chief Medical Director.

Routine use 19, formerly 26, is amended to delete the phrase “in order for the agency to obtain information relevant to an agency decision concerning the hiring, retention or termination of an employee” as it no longer pertains to the routine use.

Routine use 25, formerly 34, was not amended, however, clarification on the intent of the term “refers” is being provided. It was always the intent of VA for the term “refers” to mean when VA health care facilities send a patient to a Federal agency or non-VA health care provider for treatment regardless of whether or not VA is paying for the care.

Routine use disclosures are added, as described below, to enable efficient administration of health care operations and to assist in the planning and delivery of patient medical care.

• Routine use thirty-five (35) states that disclosure by a physician or professional counselor that a patient is infected with Hepatitis C may be made to the spouse, the person or subject with whom the patient has a meaningful relationship with, or to an individual whom the patient or subject has identified as being a sexual partner of the patient or subject.
• Routine use thirty-six (36) states that information may be disclosed to the Federal Labor Relations Authority (FLRA) (including its General Counsel) when requested in connection with the investigation and resolution of allegations of unfair labor practices, in connection with the resolution of exceptions to arbitrator awards when a question of material fact is raised, in connection with matters before the Federal Service Impasses Panel, and to investigate representation petitions and conduct or supervise representation elections. The release of information to FLRA from this Privacy Act system of records is necessary to comply with the statutory mandate under which FLRA operates.
• Routine use thirty-seven (37) states information may be disclosed to officials of labor organizations recognized under 5 U.S.C. chapter 71 when relevant and necessary to their duties of exclusive representation concerning personnel policies, practices, and matters affecting working conditions.
• Routine use thirty-eight (38) states that information may be disclosed to officials of the Merit Systems Protection Board, including the Office of the Special Counsel, when requested in connection with appeals, special studies of the civil service and other merit systems, review of rules and regulations, investigation of alleged or possible prohibited personnel practices, and such other functions, promulgated in 5 U.S.C. 1205 and 1206, or

as may be authorized by law.

• Routine use thirty-nine (39) states that information may be disclosed to the Equal Employment Opportunity Commission when requested in connection with investigations of alleged or possible discrimination practices, examination of Federal affirmative employment programs, compliance with the Uniform Guidelines of Employee Selection Procedures, or other functions vested in the Commission by the President's Reorganization Plan No. 1 of 1978.
• Routine use forty (40) states that health care information may be disclosed to health and welfare agencies, housing resources or utility companies, possibly to be combined with disclosures to other agencies, in situations where VA needs to act quickly in order to provide basic and/or emergency needs on behalf of veterans and veterans' families where the family resides with the veteran or serves as a caregiver.

There are times when these referrals must be made quickly to obtain the resources necessary to maintain safe community living situations and obtain priority service for high-risk veterans. Health can be compromised when heat is turned off, telephone access denied, and food and clothing is not available. Flexibility is needed to contact a variety of agencies promptly to meet multiple needs in a timely manner. Numerous calls are often necessary to find the mix of resources needed. VA must be prepared to disclose relevant health care information to shelters, not-for-profit or profit assisted living homes, sheltered or group homes, public housing or to residence management that may be ready to evict veterans, where VA needs to use some medical and identifying information in negotiations.

• Routine use forty-one (41) states that health care information may be disclosed to funeral directors or representatives of funeral homes in order to allow them to make necessary arrangements prior to and in anticipation of a veteran's impending death.
• Routine use forty-two (42) states that health care information may be disclosed to the Food and Drug Administration (FDA), or a person subject to the jurisdiction of the FDA with respect to an FDA-regulated products, for purposes of reporting adverse events, product defects or problems, or biological product deviations; tracking products; enabling product recalls, repairs, or replacement; and/or conducting post marketing surveillance.
• Routine use forty-three (43) states that disclosure of individually-identifiable health care information may be made to a non-VA health care provider, such as DoD and IHS, for the purpose of treating a veteran. To better facilitate medical care and treatment for veterans, VA must be prepared to share health information between VHA, the Department of Defense (DoD), Indian Health Services (IHS), and other government health care organizations.
• Routine use forty-four (44) states that disclosure of information may be made to telephone company operators acting in a capacity to facilitate phone calls to/for hearing impaired individuals, such as veterans, veteran's family members, non-VA providers, etc., using Telephone Devices for the Hearing Impaired including Telecommunications Device for the Deaf (TDD) or Text Telephones (TTY).

This service may be required in order for VA to provide veteran and/or veteran's family with disabilities basic and/or emergency health care services.

• Routine use forty-five (45) states that in compliance with 38 U.S.C. 5313B(d), VA may disclose information to any Federal, state, local, tribal or foreign law enforcement agency in order to report a known fugitive felon.

VA must also be able to provide information to Federal, state or local agencies charged with protecting the public.

• Routine use forty-six (46) states that relevant health care information, excluding medical treatment information related to drug or alcohol abuse, infection with the human immunodeficiency virus or sickle cell anemia, and the names and home addresses of veterans and their dependents, may be disclosed by VA employees who are designated requesters (individuals who have completed a course offered or approved by an Organ Procurement Organization), or their designee for the purpose of determining suitability of a patient's organs or tissues for organ donation to an Organ Procurement Organization, a designated requester that is a non-VA employee, or their designees acting on behalf of local Organ Procurement Organizations. This will permit representatives from the Organ Procurement Organizations to perform the medical record reviews required in making these determinations.
• Routine use forty-six (46) states relevant heath care information may be disclosed to DoD, or its components, for individuals treated under 38 U.S.C. 8111A for the purposes deemed necessary by appropriate military command authorities to assure proper execution of the military mission.

VA is adding this routine use to provide disclosure authority in the course of treating individuals under 38 U.S.C. 8111A for the purposes discussed under 45 CFR 164.512(k)(1)(i).

The Privacy Act permits VA to disclose information about individuals without their consent for a routine use when the information will be used for a purpose that is compatible with the purpose for which we collected the information. In all of the routine use disclosures described above, the recipient of the information will use the information in connection with a matter relating to one of VA's programs, will use the information to provide a benefit to VA, or disclosure is required by law.

Under section 264, Subtitle F of Title II of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 100 Stat. 1936, 2033-34 (1996), the United States Department of Health and Human Services (HHS) published a final rule, as amended, establishing Standards for Privacy of Individually-Identifiable Health Information, 45 CFR Parts 160 and 164. VHA may not disclose individually-identifiable health information (as defined in HIPAA and the Privacy Rule, 42 U.S.C. 1320(d)(6) and 45 CFR 164.501) pursuant to a routine use unless either: (a) The disclosure is required by law, or (b) the disclosure is also permitted or required by the HHS Privacy Rule. The disclosures of individually-identifiable health information contemplated in the routine uses published in this amended system of records notice are permitted under the Privacy Rule or required by law. However, to also have authority to make such disclosures under the Privacy Act, VA must publish these routine uses. Consequently, VA is publishing these routine uses and is adding a preliminary paragraph to the routine uses portion of the system of records notice stating that any disclosure pursuant to the routine uses in this system of records notice must be either required by law or permitted by the Privacy Rule before VHA may disclose the covered information.

Policies and practices for storing, retrieving, accessing, retaining and disposing of records in the system are amended to include provisions for computerized patient health information storage, including the Health Data Repository.

The safeguards are amended to delete specific references to the names of information systems, databases and files within the information system, as these have been incorporated into the VA National Database system of records. The section addressing access to file information and how the information is controlled has been updated to include access by remote data users such as Veteran Outreach Centers, Veteran Service Officers (VSO) with power of attorney to assist with claim processing, Veterans Benefits Administration (VBA) Regional Office staff for benefit determination and processing purposes, Office of Inspector General (OIG) staff conducting official audits or investigations and other authorized individuals. A section on Health Data Repository safeguards has also been added.

The System Manager is amended to reflect the current organizational structure and includes the System Manager for the Health Data Repository.

The Report of Intent to Amend a System on Records Notice and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of the Office of Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

24VA19

SYSTEM NAME:

Patient Medical Records-VA.

SYSTEM LOCATION:

Records are maintained at each VA health care facility (in most cases, back-up information is stored at off-site locations). Subsidiary record information is maintained at the various respective services within the health care facility (e.g., Pharmacy, Fiscal, Dietetic, Clinical Laboratory, Radiology, Social Work, Psychology, etc.) and by individuals, organizations, and/or agencies with whom VA has a contract or agreement to perform such services, as VA may deem practicable.

Address locations for VA facilities are listed in Appendix 1 of the biennial publication of the VA Privacy Act Issuances. In addition, information from these records or copies of these records may be maintained at the Department of Veteran Affairs Central Office, 810 Vermont, NW., Washington, DC 20420, VA National Data Centers, in the VA Health Data Repository (HDR) [located at the VA National Data Centers], VA Chief Information Office (CIO) Field Offices, Veterans Integrated Service Networks, Regional and General Counsel Offices.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

1.Veterans who have applied for health care services under Title 38, United States Code, Chapter 17, and members of their immediate families.

2. Spouse, surviving spouse, and children of veterans who have applied for health care services under Title 38, United States Code, Chapter 17.

3. Beneficiaries of other Federal agencies.

4. Individuals examined or treated under contract or resource sharing agreements.

5. Individuals examined or treated for research or donor purposes.

6. Individuals who have applied for Title 38 benefits but who do not meet the requirements under Title 38 to receive such benefits.

7. Individuals who were provided medical care under emergency conditions for humanitarian reasons.

8. Pensioned members of allied forces provided health care services under Title 38, United States Code, Chapter I.

CATEGORIES OF RECORDS IN THE SYSTEM:

The patient medical record is a consolidated health record (CHR) which may include:

(i) An administrative (non-clinical information) record (e.g., medical benefit application and eligibility information) including information obtained from Veterans Benefits Administration automated records such as the Veterans and Beneficiaries Identification and Records Locator Subsystem-VA (38VA23) and the Compensation, Pension, Education and Rehabilitation Records-VA (58VA21/22/28), and correspondence about the individual;

(ii) A medical record (a cumulative account of sociological, diagnostic, counseling, rehabilitation, drug and alcohol, dietetic, medical, surgical, dental, psychological, and/or psychiatric information compiled by VA professional staff and non-VA health care providers), and

(iii) Subsidiary record information (e.g., tumor registry, dental, pharmacy, nuclear medicine, clinical laboratory, radiology, and patient scheduling information). The consolidated health record may include identifying information (e.g., name, address, date of birth, VA claim number, social security number), military service information (e.g., dates, branch and character of service, service number, medical information), family information (e.g., next of kin and person to notify in an emergency; address information, name, social security number and date of birth for veteran's spouse and dependents; family medical history information), employment information (e.g., occupation, employer name and address), financial information (e.g., family income; assets; expenses; debts; amount and source of income for veteran, spouse and dependents), third-party health plan contract information (e.g., health insurance carrier name and address, policy number, amounts billed and paid), and information pertaining to the individual's medical, surgical, psychiatric, dental, and/or psychological examination, evaluation, and/or treatment (e.g., information related to the chief complaint and history of present illness; information related to physical, diagnostic, therapeutic, special examinations, clinical laboratory, pathology and x-ray findings, operations, medical history, medications prescribed and dispensed, treatment plan and progress, consultations; photographs taken for identification and medical treatment; education and research purposes; facility locations where treatment is provided; observations and clinical impressions of health care providers to include identity of providers and to include, as appropriate, the present state of the patient's health, an assessment of the patient's emotional, behavioral, and social status, as well as an assessment of the patient's rehabilitation potential and nursing care needs). Abstract information (e.g., environmental, epidemiological and treatment regimen registries, etc.) is maintained in auxiliary paper and automated records.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Title 38, United States Code, Section 501(b) and Section 304.

PURPOSE(S):

The paper and automated records may be used for such purposes as: Ongoing treatment of the patient; documentation of treatment provided; payment; health care operations such as producing various management and patient follow-up reports; responding to patient and other inquiries; for epidemiological research and other health care related studies; statistical analysis, resource allocation and planning; providing clinical and administrative support to patient medical care; determining entitlement and eligibility for VA benefits; processing and adjudicating benefit claims by Veterans Benefits Administration Regional Office (VARO) staff; for audits, reviews and investigations conducted by staff of the health care facility, the networks, VA Central Office, and the VA Office of Inspector General (OIG); sharing of health information between and among Veterans Health Administration (VHA), Department of Defense (DoD), Indian Health Services (IHS), and other government and private industry health care organizations; law enforcement investigations; quality assurance audits, reviews and investigations; personnel management and evaluation; employee ratings and performance evaluations, and employee disciplinary or other adverse action, including discharge; advising health care professional licensing or monitoring bodies or similar entities of activities of VA and former VA health care personnel; accreditation of a facility by an entity such as the Joint Commission on Accreditation of Healthcare Organizations (JCAHO); and, notifying medical schools of medical students' performance and billing.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

To the extent that records contained in the system include information protected by 45 CFR Parts 160 and 164, i.e., individually identifiable health information, and 38 U.S.C. 7332, i.e., medical treatment information related to drug abuse, alcoholism or alcohol abuse, sickle cell anemia or infection with the human immunodeficiency virus, that information cannot be disclosed under a routine use unless there is also specific statutory authority in 38 U.S.C. 7332 and regulatory authority in 45 CFR Parts 160 and 164 permitting disclosure.

1. Disclosure of health care information as deemed necessary and proper to Federal, state and local government agencies and national health organizations in order to assist in the development of programs that will be beneficial to claimants, to protect their rights under law, and assure that they are receiving all benefits to which they are entitled.

2. Disclosure of health care information furnished and the period of care, as deemed necessary and proper, to accredited service organization representatives and other approved agents, attorneys, and insurance companies to aid claimants whom they represent in the preparation, presentation and prosecution of claims under laws administered by VA, state or local agencies.

3. VA may disclose on its own initiative any information in this system, except the names and home addresses of veterans and their dependents, which is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal or regulatory in nature, and whether arising by general or program statute or by regulation, rule or order issued pursuant thereto, to a Federal, state, local, tribal, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule or order. On its own initiative, VA may also disclose the names and addresses of veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto.

4. A record from this system of records may be disclosed to a Federal agency or the District of Columbia government, in response to its request, in connection with the hiring or retention of an employee and the issuance of a security clearance as required by law, the reporting of an investigation of an employee, or the issuance of a license, grant, or other benefit by the requesting agency, to the extent that the information is relevant and necessary to the requesting agency's decision.

5. Disclosure of individually-identifiable health care information may be made by appropriate VA personnel to the extent necessary and on a need-to-know basis, consistent with good medical-ethical practices, to family members and/or the person(s) with whom the patient has a meaningful relationship.

6. In response to an inquiry about a named individual from a member of the general public, disclosure may be made to establish the patient's presence (and location when needed for visitation purposes) in a medical facility or to report the patient's general condition while hospitalized (e.g., satisfactory, seriously ill).

7. Relevant information may be disclosed in the course of presenting evidence to a court, magistrate or administrative tribunal, in matters of guardianship, inquests and commitments; to private attorneys representing veterans rated incompetent in conjunction with issuance of Certificates of Incompetency; and to probation and parole officers in connection with Court required duties.

8. Relevant information may be disclosed to a guardian ad litem in relation to his or her representation of a claimant in any legal proceeding.

9. Disclosure may be made to a Congressional office from the record of an individual in response to an inquiry from the Congressional office made at the request of that individual.

10. The name(s) and address(es) of present or former members of the armed services and/or their dependents may be disclosed under certain circumstances: (a) To any nonprofit organization if the release is directly connected with the conduct of programs and the utilization of benefits under Title 38, and (b) to any criminal or civil law enforcement governmental agency or instrumentality charged under applicable law with the protection of the public health or safety, if a qualified representative of such organization, agency or instrumentality has made a written request that such name(s) or address(es) be provided for a purpose authorized by law; provided, further, that the record(s) will not be used for any purpose other than that stated in the request and that organization, agency or instrumentality is aware of the penalty provision of 38 U.S.C. 5701 (f).

11. The nature of the patient's illness, probable prognosis, estimated life expectancy and need for the presence of the related service member may be disclosed to the American Red Cross for the purpose of justifying emergency leave.

12. Any relevant information may be disclosed to attorneys, insurance companies, employers, third parties liable or potentially liable under health plan contracts, and to courts, boards, or commissions, only to the extent necessary to aid VA in preparation, presentation, and prosecution of claims authorized under Federal, state, or local laws, and regulations promulgated thereunder.

13. Disclosure of health information, excluding name and home address, (unless name and address is furnished by the requester) for research purposes determined to be necessary and proper, to epidemiological and other research entities approved by the Under Secretary for Health.

14. In order to conduct Federal research necessary to accomplish a statutory purpose of an agency, at the written request of the head of the agency, or designee of the head of that agency, the name(s) and address(es) of present or former personnel of the Armed Services and/or their dependents may be disclosed (a) to a Federal department or agency or (b) directly to a contractor of a Federal department or agency. When a disclosure of this information is to be made directly to the contractor, VA may impose applicable conditions on the department, agency and/or contractor to insure the appropriateness of the disclosure to the contractor.

15. Relevant information may be disclosed to the Department of Justice and United States Attorneys in defense or prosecution of litigation involving the United States, and to Federal agencies upon their request in connection with review of administrative tort claims filed under the Federal Tort Claims Act, 28 U.S.C. 2672.

16. Health care information may be disclosed by the examining VA physician to a non-VA physician when that non-VA physician has referred the individual to the VA for medical care.

17. Patient medical records may be disclosed to the National Archives and Records Administration (NARA) and the General Services Administration (GSA) in records management inspections conducted under authority of 44 U.S.C.

18. Health care information concerning a non-judicially declared incompetent patient may be disclosed to a third party upon the written authorization of the patient's next of kin in order for the patient or, consistent with the best interest of the patient, a member of the patient's family, to receive a benefit to which the patient or family member is entitled or, to arrange for the patient's discharge from a VA medical facility. Sufficient information to make an informed determination will be made available to such next of kin. If the patient's next of kin are not reasonably accessible, the Chief of Staff, Director, or designee of the custodial VA medical facility may make disclosure of health care information for these purposes.

19. Disclosure may be made to a Federal agency or to a state or local government licensing board and/or to the Federation of State Medical Boards, or a similar non-government entity, which maintains records concerning individuals' employment histories or concerning the issuance, retention or revocation of licenses, certifications, or registration necessary to practice an occupation, profession or specialty, to inform a Federal agency or licensing boards or the appropriate non-government entities about the health care practices of a terminated, resigned or retired health care employee whose professional health care activity so significantly failed to conform to generally accepted standards of professional medical practice as to raise reasonable concern for the health and safety of patients in the private sector or from another Federal agency. These records may also be disclosed as part of an ongoing computer matching program to accomplish these purposes.

20. In the case of any record which is maintained in connection with the performance of any program or activity relating to infection with the Human Immunodeficiency Virus (HIV), information may be disclosed to a Federal, state, or local public health authority that is charged under Federal or state law with the protection of the public health, and to which Federal or state law requires disclosure of such record, if a qualified representative of such authority has made a written request that such record be provided as required pursuant to such law for a purpose authorized by such law. The person to whom information is disclosed should be advised that they shall not re-disclose or use such information for a purpose other than that for which the disclosure was made [(38 U.S.C. 7332 (b)(2)(C)]. The disclosure of patient name and address under this routine use must comply with the provisions of 38 U.S.C. 5701 (f)(2).

21. Information indicating that a patient or subject is infected with the Human Immunodeficiency Virus (HIV) may be disclosed by a physician or professional counselor to the spouse of the patient or subject, or to an individual whom the patient or subject has a meaningful relationship, during the process of professional counseling or of testing, to determine whether the patient or subject is infected with the virus, identified as being a sexual partner of the patient or subject. Disclosures may be made only if the physician or counselor, after making reasonable efforts to counsel and encourage the patient or subject to provide the information to the spouse or sexual partner, and if the disclosure is necessary to protect the health of the spouse or sexual partner. Such disclosures should, to the extent feasible, be made by the patient's or subject's treating physician or professional counselor. Before any patient or subject gives consent to being tested for the HIV, as part of pre-testing counseling, the patient or subject must be informed fully about these notification procedures.

22. Identifying information, including name, address, social security number, and other information as is reasonably necessary to identify such individual, may be disclosed to the National Practitioner Data Bank at the time of hiring and/or clinical privileging/re-privileging of health care practitioners, and other times as deemed necessary by VA, in order for VA to obtain information relevant to a Department decision concerning the hiring, privileging/re-privileging, retention or termination of the applicant or employee.

23. Relevant information may be disclosed to the National Practitioner Data Bank and/or State Licensing Board in the state(s) in which a practitioner is licensed, in which the VA facility is located, and/or in which an act or omission occurred upon which a medical malpractice claim was based when VA reports information concerning: (a) Any payment for the benefit of a physician, dentist, or other licensed health care practitioner which was made as the result of a settlement or judgment of a claim of medical malpractice, if an appropriate determination is made in accordance with Department policy that payment was related to substandard care, professional incompetence or professional misconduct on the part of the individual; (b) a final decision which relates to possible incompetence or improper professional conduct that adversely affects the clinical privileges of a physician or dentist for a period longer than 30 days; or, (c) the acceptance of the surrender of clinical privileges, or any restriction of such privileges by a physician or dentist, either while under investigation by the health care entity relating to possible incompetence or improper professional conduct, or in return for not conducting such an investigation or proceeding. These records may also be disclosed as part of a computer matching program to accomplish these purposes.

24. Relevant health care information may be disclosed to a state veterans home for the purpose of medical treatment and/or follow-up at the state home when VA makes payment of a per diem rate to the state home for the patient receiving care at such home, and the patient receives VA medical care.

25. Relevant health care information may be disclosed to (a) a Federal agency or non-VA health care provider or institution when VA refers a patient for hospital or nursing home care or medical services, or authorizes a patient to obtain non-VA medical services and the information is needed by the Federal agency or non-VA institution or provider to perform the services; or (b) a Federal agency or a non-VA hospital (Federal, state and local, public or private) or other medical installation having hospital facilities, blood banks, or similar institutions, medical schools or clinics, or other groups or individuals that have contracted or agreed to provide medical services, or share the use of medical resources under the provisions of 38 U.S.C 513, 7409, 8111, or 8153, when treatment is rendered by VA under the terms of such contract or agreement or the issuance of an authorization, and the information is needed for purposes of medical treatment and/or follow-up, determining entitlement to a benefit or, for VA to effect recovery of the costs of the medical care.

26. For program review purposes and the seeking of accreditation and/or certification, health care information may be disclosed to survey teams of the Joint Commission on Accreditation of Healthcare Organizations (JCAHO), College of American Pathologists, American Association of Blood Banks, and similar national accrediting agencies or boards with whom VA has a contract or agreement to conduct such reviews, but only to the extent that the information is necessary and relevant to the review.

27. Relevant health care information may be disclosed to a non-VA nursing home facility that is considering the patient for admission, when information concerning the individual's medical care is needed for the purpose of preadmission screening under 42 CFR 483.20(f), for the purpose of identifying patients who are mentally ill or mentally retarded, so they can be evaluated for appropriate placement.

28. Information from a named patient's VA medical record which relates to the performance of a health care student or provider may be disclosed to a medical or nursing school, or other health care related training institution, or other facility with which there is an affiliation, sharing agreement, contract, or similar arrangement when the student or provider is enrolled at or employed by the school or training institution, or other facility, and the information is needed for personnel management, rating and/or evaluation purposes.

29. Relevant health care information may be disclosed to individuals, organizations, private or public agencies, etc., with whom VA has a contract or sharing agreement for the provision of health care or administrative services.

30. Identifying information, including social security number, of veterans, spouse(s) of veterans, and dependents of veterans, may be disclosed to other Federal agencies for purposes of conducting computer matches, to obtain information to determine or verify eligibility of veterans who are receiving VA medical care under Title 38, U.S.C.

31. The name and social security number of a veteran, spouse and dependent, and other identifying information as is reasonably necessary may be disclosed to the Social Security Administration, Department of Health and Human Services (HHS), for the purpose of conducting a computer match to obtain information to validate the social security numbers maintained in VA records.

32. The patient name and relevant health care information concerning an adverse drug reaction of a patient may be disclosed to the Food and Drug Administration (FDA), HHS, for purposes of quality of care management, including detection, treatment, monitoring, reporting, analysis and follow-up actions relating to adverse drug reactions.

33. Patient identifying information may be disclosed to Federal agencies and VA and government-wide third-party insurers responsible for payment of the cost of medical care for the identified patients, in order for VA to seek recovery of the medical care costs. These records may also be disclosed as part of a computer matching program to accomplish these purposes.

34. Pursuant to 38 U.S.C. 7464, and notwithstanding sections 5701 and 7332, when requested by a VA employee or former VA employee (or a representative of the employee) whose case is under consideration by the VA Disciplinary Appeals Board, in connection with the considerations of the Board, records or information may be reviewed by or disclosed to the employee or former employee (or representative) to the extent the Board considers appropriate for purposes of the proceedings of the Board in that case, when authorized by the chairperson of the Board.

35. Disclosure by a physician or professional counselor that a patient is infected with Hepatitis C may be made to the spouse, the person or subject with whom the patient has a meaningful relationship with, or to an individual whom the patient or subject has identified as being a sexual partner of the patient or subject.

36. Disclosure may be made to the Federal Labor Relations Authority, including its General Counsel, when requested in connection with investigation and resolution of allegations of unfair labor practices, in connection with the resolution of exceptions to arbitrator awards when a question of material fact is raised and matters before the Federal Service Impasses Panel.

37. Disclosure may be made to officials of labor organizations recognized under 5 U.S.C. chapter 71 when relevant and necessary to their duties of exclusive representation concerning personnel policies, practices, and matters affecting working conditions.

38. Disclosure may be made to officials of the Merit Systems Protection Board, including the Office of the Special Counsel, when requested in connection with appeals, special studies of the civil service and other merit systems, review of rules and regulations, investigation of alleged or possible prohibited personnel practices, and such other functions promulgated in 5 U.S.C. 1205 and 1206, or as may be authorized by law.

39. Disclosure may be made to the Equal Employment Opportunity Commission when requested in connection with investigations of alleged or possible discrimination practices, examination of Federal affirmative employment programs, compliance with the Uniform Guidelines of Employee Selection Procedures, or other functions vested in the Commission by the President's Reorganization Plan No. 1 of 1978.

40. Relevant health care information may be disclosed to health and welfare agencies, housing resources and utility companies, possibly to be combined with disclosures to other agencies, in situations where VA needs to act quickly in order to provide basic and/or emergency needs for the veteran and veteran's family where the family resides with the veteran or serves as a caregiver.

41. Disclosure of health care information may be made to funeral directors or representatives of funeral homes in order to allow them to make necessary arrangements prior to and in anticipation of a veteran's impending death.

42. Disclosure of health care information may be made to the FDA, or a person subject to the jurisdiction of the FDA, with respect to FDA-regulated products for purposes of reporting adverse events, product defects or problems, or biological product deviations; tracking products; enabling product recalls, repairs, or replacement; and/or conducting post marketing surveillance.

43. Disclosure of individually-identifiable health care information may be made to a non-VA health care provider, such as DoD or IHS, for the purpose of treating any VA patient, including veterans.

44. Disclosure of information may be made to telephone company operators acting in a capacity to facilitate phone calls to/for hearing impaired individuals, such as veterans, veteran's family members, non-VA providers, etc., using Telephone Devices for the Hearing Impaired including Telecommunications Device for the Deaf (TDD) or Text Telephones (TTY).

45. In compliance with 38 U.S.C. 5313B(d), VA may disclose information to any Federal, state, local, tribal or foreign law enforcement agency in order to report a known fugitive felon.

46. Relevant health care information, excluding medical treatment information related to drug or alcohol abuse, infection with the human immunodeficiency virus or sickle cell anemia, and the names and home addresses of veterans and their dependents, may be disclosed by VA employees who are designated requesters (individuals who have completed a course offered or approved by an Organ Procurement Organization), or their designee for the purpose of determining suitability of a patient's organs or tissues for organ donation to an Organ Procurement Organization, a designated requester that is a non-VA employee, or their designees acting on behalf of local Organ Procurement Organizations.

47. Relevant heath care information may be disclosed to DoD, or its components, for individuals treated under 38 U.S.C. 8111A for the purposes deemed necessary by appropriate military command authorities to assure proper execution of the military mission.

Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system:

Storage:

Records are maintained on paper, microfilm, electronic media or laser optical media in the consolidated health record at the health care facility where care was rendered, in the VA Health Data Repository, and at Federal Record Centers. In most cases, copies of back-up computer files are maintained at off-site locations. Subsidiary record information is maintained at the various respective services within the health care facility (e.g., Pharmacy, Fiscal, Dietetic, Clinical Laboratory, Radiology, Social Work, Psychology, etc.) and by individuals, organizations, and/or agencies with whom VA has a contract or agreement to perform such services, as the VA may deem practicable.

Paper records are currently being relocated from Federal record centers to the VA Records Center and Vault. It is projected that all paper records will be stored at the VA Records Center and Vault by the end of the calendar year 2004.

Retrievability:

Records are retrieved by name, social security number or other assigned identifiers of the individuals on whom they are maintained.

Safeguards:

1. Access to working spaces and patient medical record storage areas in VA health care facilities is restricted to authorized VA employees. Generally, file areas are locked after normal duty hours. Health care facilities are protected from outside access by the Federal Protective Service and/or other security personnel. Access to patient medical records is restricted to VA employees who have a need for the information in the performance of their official duties. Sensitive patient medical records, including employee patient medical records, records of public figures, or other sensitive patient medical records are generally stored in separate locked files or a similar electronically controlled access environment. Strict control measures are enforced to ensure that access to and disclosures from these patient medical records are limited.

2. Access to computer rooms within health care facilities is generally limited by appropriate locking devices and restricted to authorized VA employees and vendor personnel. ADP peripheral devices are generally placed in secure areas (areas that are locked or have limited access) or are otherwise protected. Only authorized VA employees or vendor employees may access information in the system. Access to file information is controlled at two levels: the system recognizes authorized employees by a series of individually unique passwords/codes as a part of each data message, and the employees are limited to only that information in the file that is needed in the performance of their official duties. Information that is downloaded and maintained on personal computers must be afforded similar storage and access protections as the data that is maintained in the original files. Access by remote data users such as Veteran Outreach Centers, Veteran Service Officers (VSO) with power of attorney to assist with claim processing, VBA Regional Office staff for benefit determination and processing purposes, OIG staff conducting official audits or investigations and other authorized individuals is controlled in the same manner.

3. Access to the VA National Data Centers is generally restricted to Center employees, custodial personnel, Federal Protective Service and other security personnel. Access to computer rooms is restricted to authorized operational personnel through electronic locking devices. All other persons gaining access to computer rooms are escorted. Information stored in the computer may be accessed by authorized VA employees at remote locations including VA health care facilities, VA Central Office, Veterans Integrated Service Networks (VISNs), and OIG Central Office and field staff. Access is controlled by individually unique passwords/codes that must be changed periodically by the employee.

4. Access to the VA Health Data Repository (HDR), located at the VA National Data Centers, is generally restricted to Center employees, custodial personnel, Federal Protective Service and other security personnel. Access to computer rooms is restricted to authorized operational personnel through electronic locking devices. All other persons gaining access to computer rooms are escorted. Information stored in the computer may be accessed by authorized VA employees at remote locations including VA health care facilities, VA Central Office, VISNs, and OIG Central Office and field staff. Access is controlled by individually unique passwords/codes that must be changed periodically by the employee.

5. Access to records maintained at VA Central Office, the VA Boston Development Center, Chief Information Office Field Offices, and VISNs is restricted to VA employees who have a need for the information in the performance of their official duties. Access to information stored in electronic format is controlled by individually unique passwords/codes. Records are maintained in manned rooms during working hours. The facilities are protected from outside access during non-working hours by the Federal Protective Service or other security personnel.

6. Computer access authorizations, computer applications available and used, information access attempts, frequency and time of use are recorded.

Retention and disposal:

In accordance with the records disposition authority approved by the Archivist of the United States, paper records and information stored on electronic storage media are maintained for 75 years after the last episode of patient care then destroyed/deleted.

System manager(S) and address:

Patient Medical Record: Director, Information Assurance (19F), Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420.

Health Data Repository: Director, Health Data Systems (19-SL), Department of Veterans Affairs, 295 Chipeta Way, Salt Lake City, UT 84108.

Notification procedure:

An individual who wishes to determine whether a record is being maintained in this system under his or her name or other personal identifier, or wants to determine the contents of such record, should submit a written request or apply in person to the last VA health care facility where care was rendered. Addresses of VA health care facilities may be found in VA Appendix 1 of the Biennial Publication of Privacy Act Issuances. All inquiries must reasonably identify the portion of the medical record involved and the place and approximate date that medical care was provided. Inquiries should include the patient's full name, social security number and return address.

Record access procedure:

Individuals seeking information regarding access to and contesting of VA medical records may write, call or visit the last VA facility where medical care was provided.

Contesting record procedures:

(See Record Access Procedures above.)

Record source categories:

The patient, family members or accredited representative, and friends, employers; military service departments; health insurance carriers; private medical facilities and health care professionals; state and local agencies; other Federal agencies; VA Regional Offices, Veterans Benefits Administration automated record systems (including Veterans and Beneficiaries Identification and Records Location Subsystem-VA (38VA23) and the Compensation, Pension, Education and Rehabilitation Records-VA (58VA21/22/28); and various automated systems providing clinical and managerial support at VA health care facilities.