Privacy Act of 1974; System of Records

AGENCY:

Veterans Health Administration, Department of Veterans Affairs (VA).

ACTION:

Notice of a modified system of records.

SUMMARY:

Community Care Referrals and Authorization (CCRA) is an enterprise-wide system used by facility community care staff to generate referrals and authorizations for Veterans receiving care in the community. VA community care staff and non-VA staff use this solution to enhance Veteran access to care. CCRA is an integral component of the community care information technology architecture that allows Veterans to receive care from community providers. CCRA also allows Veterans and non-VA medical facilities to request VA authorization of emergent and urgent Veteran care.

DATES:

Comments on this modified system of records must be received no later than 30 days after date of publication in the Federal Register. If no public comment is received during the period allowed for comment or unless otherwise published in the Federal Register by VA, the modified system of records will become effective a minimum of 30 days after date of publication in the Federal Register. If VA receives public comments, VA shall review the comments to determine whether any changes to the notice are necessary.

ADDRESSES:

Comments may be submitted through www.Regulations.gov or mailed to VA Privacy Service, 810 Vermont Avenue NW, (005R1A), Washington, DC 20420. Comments should indicate that they are submitted in response to HealthShare Referral Manager (HSRM)-VA (180VA10D). Comments received will be available at regulations.gov for public viewing, inspection or copies.

FOR FURTHER INFORMATION CONTACT:

Robert Hassinger, Product Manager, Community Care Referrals and Authorization (CCRA) System, Office of Information and Technology Field Office, 55 Elk Street—3rd Floor, Albany, NY 12210. Telephone number: (518) 449-0600. (This is not a toll-free number.)

SUPPLEMENTARY INFORMATION:

CCRA is an enterprise-wide solution in support of the Veterans Access, Choice, and Accountability Act of 2014 (Pub. L. 113-146) (“Choice Act”), as amended by the VA Expiring Authorities Act of 2014 (Pub. L. 113-175), to generate referrals and authorizations for Veterans receiving care in the community. VA clinical providers and Non-VA clinical providers will access a cloud-based software system to request and refer clinical care for Veterans with Community Care providers. This solution will enhance Veteran access to care by utilizing a common and modern system to orchestrate the complex business of VA referral management.

The CCRA solution is an integral component of the VA Community Care (CC) Information Technology (IT) architecture, and will track and share health care information and correspondence necessary for Veterans to be seen for appropriate and approved episodes of CC. Additionally, CCRA allows Veterans and non-VA-medical facilities to request VA authorization of emergent and urgent Veteran care. The CCRA solution will allow the VA to move to a process that generates standardized referrals and authorizations, according to clinical and business rules.

The CCRA project provides HealthShare Referral manager by InterSystems as the CCRA solution. HealthShare Referral Manager is a commercial off-the-shelf software product that is hosted in an Amazon Web Services (AWS) FedRAMP High Gov cloud and is planned for enterprise integration with VA systems, both inside and outside of CC.

Two additional Routine Uses are listed in this Modified SORN and are detailed in a later section. These Routine Uses directly relate to the referral process utilized by the CCRA solution.

Signing Authority

The Senior Agency Official for Privacy, or designee, approved this document and authorized the undersigned to sign and submit the document to the Office of the Federal Register for publication electronically as an official document of the Department of Veterans Affairs. Dominic A. Cussatt, Acting Assistant Secretary of Information and Technology and Chief Information Officer, approved this document on July 2, 2021 for publication.

SYSTEM NAME AND NUMBER:

HealthShare Referral Manager (HSRM)-VA (180VA10D)

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

Amazon Web Services, LLC, 12900 Worldgate Dr, Herndon, VA 20170. Community Care Referrals and Authorization (CCRA) System Product Manager, Office of Information and Technology Field Office, 55 Elk Street—3rd Floor, Albany, NY 12210.

SYSTEM MANAGER(S):

Official responsible for policies and procedures: Program Manager—Project & Portfolio Services (PPS), Business Operations & Administration (BOA) 13BOA8, VHA Office of Community Care, U.S. Department of Veterans Affairs. Telephone number: (720) 234-5234 or (720) 560-1452. (These are not toll-free numbers.).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Title 38 United States Code 7301(a); Title 38 United States Code 1703—Veterans Community Care Program; Veterans Access, Choice, and Accountability Act of 2014 (Pub. L. 113-146).

PURPOSE(S) OF THE SYSTEM:

CCRA is an enterprise-wide system used by community care staff to automatically generate referrals and authorizations for all Veterans receiving care in the community. The system is an integral component of the VA community care information technology (IT) architecture, and allows Veterans to receive care from community providers within the Community Care Network through the Veterans Choice Program. The CCRA system allows these providers to view relevant patient and clinical information from Veterans Information Systems and Technology Architecture (VistA). The exchange of health care information and authorizations enhances VA's ability to ensure that Veterans receive the best health care available to address their medical needs. The CCRA system also enabled the VA to move from what is currently a largely manual process to an automated process that generates standardized referrals and authorizations according to clinical and business rules. The automated process decreases the administrative burden on VA clinical and community care staff members by way of establishing clinical and business pathways that which reflect best processes, consistent outcomes, and reduced turnaround times.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The records include information concerning:

1. Veterans who have applied for health care services under Title 38, United States Code, Chapter 17, and in certain cases members of their immediate families.

2. Individuals examined or treated under contract or resource sharing agreements.

3. Individuals who were provided medical care under emergency conditions for humanitarian reasons.

4. Health care professionals providing examination or treatment to any individuals within VA health care facilities.

5. Healthcare professionals providing examination or treatment to individuals under contract or resource sharing agreements or CC programs, such as Choice.

6. Patients and members of their immediate family, volunteers, maintenance personnel, as well as individuals working collaboratively with VA.

7. Contractors, sub-contractors, contract personnel, students, providers and consultants.

CATEGORIES OF RECORDS IN THE SYSTEM:

The records may include information and health information related to:

1. Identifying information (e.g., name, birth date, death date, admission date, discharge date, gender, social security number, taxpayer identification number); address information (e.g., home and/or mailing address, home telephone number, emergency contact information such as name, address, telephone number, and relationship); prosthetic and sensory aid serial numbers; medical record numbers; integration control numbers; information related to medical examination or treatment (e.g., location of VA medical facility providing examination or treatment, treatment dates, medical conditions treated or noted on examination); information related to military service and status.

2. Computer access authorizations, computer applications available and used, information access attempts, frequency and time of use; identification of the person responsible for, currently assigned, or otherwise engaged in various categories of patient care or support of health care delivery.

3. Application, eligibility, and claim information regarding payment determination for medical services provided to VA beneficiaries by non-VA health care institutions and providers.

4. Health care provider's name, address, and taxpayer identification number, correspondence concerning individuals and documents pertaining to claims for medical services, reasons for denial of payment, and appellate determinations.

RECORD SOURCE CATEGORIES:

The Veteran or other VA beneficiary, family members or accredited representatives, and other third parties; private medical facilities and healthcare professionals; health insurance carriers; other Federal agencies; employees; contractors; VHA facilities and automated systems providing clinical and managerial support at VA health care facilities.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

1. Congress

VA may disclose information to a Member of Congress or staff acting upon the Member's behalf when the Member or staff requests the information on behalf of, and at the request of, the individual who is the subject of the record.

2. Data Breach Response and Remediation, for VA

VA may disclose information to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that there has been a breach of the system of records, (2) VA has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, VA (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with VA's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

3. Data Breach Response and Remediation, for Another Federal Agency

VA may disclose information to another Federal agency or Federal entity, when VA determines that the information is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

4. Law Enforcement

VA may disclose information that, either alone or in conjunction with other information, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, to a Federal, state, local, territorial, tribal, or foreign law enforcement authority or other appropriate entity charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing such law. The disclosure of the names and addresses of veterans and their dependents from VA records under this routine use must also comply with the provisions of 38 U.S.C. 5701.

5. DoJ for Litigation or Administrative Proceeding

VA may disclose information to the Department of Justice (DoJ), or in a proceeding before a court, adjudicative body, or other administrative body before which VA is authorized to appear, when:

(a) VA or any component thereof;

(b) Any VA employee in his or her official capacity;

(c) Any VA employee in his or her official capacity where DoJ has agreed to represent the employee; or

(d) The United States, where VA determines that litigation is likely to affect the agency or any of its components, is a party to such proceedings or has an interest in such proceedings, and VA determines that use of such records is relevant and necessary to the proceedings.

6. Contractors

VA may disclose information to contractors, grantees, experts, consultants, students, and others performing or working on a contract, service, grant, cooperative agreement, or other assignment for VA, when reasonably necessary to accomplish an agency function related to the records.

7. OPM

VA may disclose information to the Office of Personnel Management (OPM) in connection with the application or effect of civil service laws, rules, regulations, or OPM guidelines in particular situations.

8. EEOC

VA may disclose information to the Equal Employment Opportunity Commission (EEOC) in connection with investigations of alleged or possible discriminatory practices, examination of Federal affirmative employment programs, or other functions of the Commission as authorized by law.

9. FLRA

VA may disclose information to the Federal Labor Relations Authority (FLRA) in connection with: the investigation and resolution of allegations of unfair labor practices, the resolution of exceptions to arbitration awards when a question of material fact is raised; matters before the Federal Service Impasses Panel; and the investigation of representation petitions and the conduct or supervision of representation elections.

10. MSPB

VA may disclose information to the Merit Systems Protection Board (MSPB) and the Office of the Special Counsel in connection with appeals, special studies of the civil service and other merit systems, review of rules and regulations, investigation of alleged or possible prohibited personnel practices, and such other functions promulgated in 5 U.S.C. 1205 and 1206, or as authorized by law.

11. NARA

VA may disclose information to NARA in records management inspections conducted under 44 U.S.C. 2904 and 2906, or other functions authorized by laws and policies governing NARA operations and VA records management responsibilities.

12. Health Care Providers, for Referral by VA

VA may disclose information to: (1) A federal agency or health care provider when VA refers a patient for medical and other health services, or authorizes a patient to obtain such services and the information is needed by the federal agency or health care provider to perform the services; or (2) a federal agency or to health care provider under the provisions of 38 U.S.C. 513, 7409, 8111, or 8153, when treatment is rendered by VA under the terms of such contract or agreement or the issuance of an authorization, and the information is needed for purposes of medical treatment or follow-up, determination of eligibility for benefits, or recovery by VA of the costs of the treatment.

13. Health Care Provider, for Referral to VA

VA may disclose information to a non-VA health care provider when that health care provider has referred the individual to VA for medical or other health services.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

CCRA relies on information in VistA, and only collects information related to referrals. Referral information is maintained as part of the individual's electronic health care record in accordance with the rules applied to those records. The CCRA system is hosted in Amazon Web Services (AWS) Government Cloud (GovCloud) infrastructure as a service cloud computing environment that has been authorized at the high-impact level under the Federal Risk and Authorization Management Program (FedRAMP). The secure site-to-site encrypted network connection is limited to access via the VA trusted internet connection (TIC).

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records are retrieved by name, social security number or other assigned identifiers of the individuals on whom they are maintained.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

These patient appointment and appointment schedules records shall be maintained per Record Control Schedule (RCS) 10-1 item; 2201.1. According to General Records Schedule (GRS) 5.1 item 010, DAA-GRS-2017-0003-0001, temporary destroy transitory records, messages coordinating schedules, appointments, and events when no longer needed for business use, or according to agency predetermined time or business rule.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

1. CCRA has physical controls and securely stores digital and non-digital media defined within the latest revision of NIST SP 800-88, Guidelines for Media Sanitization, and VA 6500, within controlled areas; and protects information system media until the media is destroyed or sanitized using approved equipment, techniques, and procedures.

2. The CCRA system is hosted in Amazon Web Services (AWS) Government Cloud (GovCloud) infrastructure as a service cloud computing environment that has been authorized at the high-impact level under the Federal Risk and Authorization Management Program (FedRAMP). The secure site-to-site encrypted network connection is limited to access via the VA trusted internet connection (TIC).

RECORD ACCESS PROCEDURES:

Individuals seeking information regarding access to and contesting of records in this system may write, call or visit the VA facility location where medical care was provided or VHA Office of Community Care.

CONTESTING RECORD PROCEDURES:

(See Record Access Procedures above.)

NOTIFICATION PROCEDURES:

An individual who wishes to determine whether a record is being maintained in this system under his or her name or other personal identifier, or wants to review the contents of such record, should submit a written request or apply in person to the last VA health care facility where care was rendered. All inquiries must reasonably describe the portion of the medical record involved and the place and approximate date that medical care was provided. Inquiries should include the patient's full name, social security number, and return address.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

Federal Register 83 FR 64935/Vol. 83, No. 242/Tuesday, December 18, 2018.