Privacy Act of 1974; System of Records

AGENCY:

Department of Veterans Affairs (VA).

ACTION:

Notice of amendment to system of records.

SUMMARY:

As required by the Privacy Act of 1974, 5 U.S.C. 552a(e), notice is hereby given that the Department of Veterans Affairs (VA) is amending the system of records currently entitled “My Health e Vet Administrative Records-VA” (130VA19) as set forth in the Federal Register 75 FR 70365. VA is amending the system by revising the System Number, System Location, Categories of Individuals Covered by the System, Categories of Records in the System, Records Source Categories, Routine Uses of Records Maintained in the System, Retention and Disposal, System Manager, Record Access Procedure, and Notification Procedure. VA is republishing the system notice in its entirety.

DATES:

Comments on the amendment of this system of records must be received no later than September 23, 2016. If no public comment is received, the amended system will become effective September 23, 2016.

ADDRESSES:

Written comments concerning the amended system of records may be submitted through www.regulations.gov;; by mail or hand-delivery to Director, Regulations Management (02REG), Department of Veterans Affairs, 810 Vermont Avenue NW., Room 1068, Washington, DC 20420; or by fax to (202) 273-9026. All comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8:00 a.m. and 4:30 p.m., Monday through Friday (except holidays). Please call (202) 461-4902 (this is not a toll-free number) for an appointment. In addition, during the comment period, comments may be viewed online through the Federal Docket Management System at www.regulations.gov .

FOR FURTHER INFORMATION CONTACT:

Veterans Health Administration (VHA) Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue NW., Washington, DC 20420; telephone (704) 245-2492.

SUPPLEMENTARY INFORMATION:

The System Number is changed from 130VA19 to 130VA10P2 to reflect the current organizational alignment.

The System Location in this system of records is being amended to include contracted data storage location.

The Categories of Individuals Covered by the System is being amended to remove “grantee, family members and friends” and add “power of attorney and legal guardian” to section (2). Section (4) is being amended to replace “VHA Information Technology (IT)” with “VA Office of Information and Technology (OI&T)”. The Categories of Records in the System is being amended to delete “grantee”. The Record Source Categories is being amended to add “power of attorney” to section (2). Routine Uses of Records Maintained in the System is being deleted:

“8. Disclosure of information may be made to VA approved researchers to enhance, advance and promote both the function and the content of the My HealtheVet application.”

This section is also being amended to add:

8. VA may disclose health information for research purposes determined to be necessary and proper to epidemiological and other research entities approved by the Under Secretary for Health or designee, such as the Medical Center Director of the facility where the information is maintained.

9. VA may disclose health information, including the name(s) and address(es) of present or former personnel of the Armed Services and/or their dependents, (a) to a Federal department or agency or (b) directly to a contractor of a Federal department or agency, at the written request of the head of the agency or the designee of the head of that agency, to conduct Federal research necessary to accomplish a statutory purpose of an agency. When this information is to be disclosed directly to the contractor, VA may impose applicable conditions on the department, agency, and/or contractor to ensure the appropriateness of the disclosure to the contractor.

The Retention and Disposal section is being amended to remove General Records Schedules (GRS) 20, item 1c and GRS 24, item 6a. This section will now include research and GRS 3.2 Item 031.

The System Manager(s) and Address, Notification Procedure, and Record Access Procedure sections are being amended to remove the Chief, Technical Infrastructure Division (31), Austin Automation Center, 1615 Woodward Street, Austin, Texas 78772. These sections will now include My Health e Vet Chief Information Officer, 55 Foothill Drive, Suite 400, Salt Lake City, Utah 84113.

The Report of Intent to Amend a System of Records Notice and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of the Office of Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

Signing Authority

The Secretary of Veterans Affairs, or designee, approved this document and authorized the undersigned to sign and submit the document to the Office of the Federal Register for publication electronically as an official document of the Department of Veterans Affairs. Gina S. Farrisee, Deputy Chief of Staff, approved this document on August 2, 2016, for publication.

130VA10P2

SYSTEM NAME:

My Health e Vet Administrative Records-VA.

SYSTEM LOCATION:

Records are maintained at Veterans Health Administration (VHA) facilities, VA National Data Centers, VA Health Data Repository (HDR), and at the contracted data storage system located in Culpepper, Virginia. Address locations for VHA facilities are listed in VA Appendix 1 of the biennial publications of the VA systems of records.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Title 38, United States Code, section 501.

PURPOSE(S):

The information in the My Health e Vet Administrative Records is needed to operate the My Health e Vet program including, but not limited to, registration and verification of the Veteran's identity or to register and authenticate those who have legal authority to participate in lieu of the Veteran, to assign and verify administrators of the My HealtheVet portal, to retrieve the Veteran's information to perform specific functions, and to allow access to specific information and provide other associated My Health e Vet electronic services in current and future applications of the My Health e Vet program. The administrative information may also be used to create administrative business reports for system owners and VA managers who are responsible for ensuring that the My Health e Vet system is meeting performance expectations and is in compliance with applicable Federal laws and regulations. Administrative information may also be used for evaluation to support program improvement, including VA approved research studies.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Individuals covered by this system encompass: (1) All individuals who successfully register for a My Health e Vet account and whose identity has been verified; (2) Representatives of the above individuals who have been provided Delegate access to My Health e Vet including, but not limited to, Power of Attorney (POA), legal guardian, or VA and non-VA health care providers; (3) VA health care providers and certain administrative staff; (4) VA Office of Information and Technology (OI&T) staff and/or their approved contractors who may need to enter identifying, administrative information into the system to initiate, support, and maintain electronic services for My Health e Vet participants; and (5) VA researchers fulfilling VA required authorization procedures.

CATEGORIES OF RECORDS IN THE SYSTEM:

The records include personally identifiable information, such as an individual's full name; My Health e Vet User Identifier (ID); date of birth; Social Security number; email address; telephone number; mother's maiden name; ZIP code; place and date of registration for My Health e Vet; Delegate user IDs associated with My Health e Vet accounts; level of access to My Health e Vet electronic services; date and type of transaction; web analytics for the purpose of monitoring site usage; patient internal control number (ICN); and other administrative data needed for My Health e Vet roles and services.

RECORD SOURCE CATEGORIES:

The sources of information for this system of records include the individuals covered by this notice and an additional contributor, as listed below:

(1) All individuals who successfully register for a My Health e Vet account;

(2) Representatives of the above individuals who have been provided access to the private health space by the Veteran user, including but not limited to, POA, or VA and non-VA health care providers;

(3) VA health care providers;

(4) VA OI&T staff and/or their contractors and subcontractors who may need to enter information into the system to initiate, support and maintain My Health e Vet electronic services for My Health e Vet users;

(5) VistA and other VA IT systems;

(6) VA researchers fulfilling VA required authorization procedures (see VHA Handbook 1200.01 http://www1.va.gov/vhapublications/ViewPublication.asp?pub_ID=2038 ).

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

To the extent that records contained in the system include information protected by 45 CFR. Parts 160 and 164 (i.e., individually identifiable health information), and 38 U.S.C. 7332 (i.e., medical treatment information related to drug abuse, alcoholism or alcohol abuse, sickle cell anemia or infection with the human immunodeficiency virus), that information cannot be disclosed under a routine use unless there is also specific statutory authority in 38 U.S.C. 7332 and regulatory authority in 45 CFR parts 160 and 164 permitting disclosure.

1. Disclosure of information in this system of records may be made to private or public sector organizations, individuals, agencies, etc., with whom VA has a contract or agreement, including subcontractors, in order to administer the My Health e Vet program, or perform other such services as VA deems appropriate and practical for the purposes of administering VA laws.

2. On its own initiative, VA may disclose information, except for the names of My Health e Vet users and system administrators, to State, local, tribal or foreign agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto. On its own initiative, VA may disclose information including names of My Health e Vet users and system administrators to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto.

3. VA may disclose information from this system to the National Archives and Records Administration (NARA) and General Services Administration in records management inspections conducted under title 44, United States Code (U.S.C.).

4. VA may disclose information from this system of records to the Department of Justice (DoJ), either on VA's initiative or in response to DoJ's request for the information, after either VA or DoJ determines that such information is relevant to DoJ's representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that release of the records to the DoJ is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records.

5. Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.

6. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.

7. Disclosure of information may be made when (1) VA suspects or has confirmed that the integrity or confidentiality of information in the system of records has been compromised; (2) the Department has determined that as a result of the suspected or confirmed compromise, there is a risk of embarrassment or harm to the reputations of the record subjects, harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by the Department or another agency or entity) that rely upon the compromised information; and (3) the disclosure is to agencies, entities, and persons whom VA determines are reasonably necessary to assist or carry out the Department's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. This routine use permits disclosure by the Department to respond to a suspected or confirmed data breach, including the conduct of any risk analysis or provision of credit protection services as provided in 38 U.S.C. 5724.

8. VA may disclose health information for research purposes determined to be necessary and proper to epidemiological and other research entities approved by the Under Secretary for Health or designee, such as the Medical Center Director of the facility where the information is maintained.

9. VA may disclose health information, including the name(s) and address(es) of present or former personnel of the Armed Services and/or their dependents, (a) to a Federal department or agency or (b) directly to a contractor of a Federal department or agency, at the written request of the head of the agency or the designee of the head of that agency, to conduct Federal research necessary to accomplish a statutory purpose of an agency. When this information is to be disclosed directly to the contractor, VA may impose applicable conditions on the department, agency, and/or contractor to ensure the appropriateness of the disclosure to the contractor.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

My Health e Vet Administrative Records are maintained on paper and electronic media, including hard drive disks, which are backed up to tape at regular intervals.

POLICIES AND PRACTICES FOR RETRIEVABILITY OF RECORDS:

Records may be retrieved by an individual's name, user ID, date of registration for My Health e Vet electronic services, ZIP code, the VA assigned ICN, date of birth and/or Social Security number, if provided.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Records are maintained and disposed of in accordance with the records disposition authority approved by the Archivist of the United States. Records from this system that are needed for audit purposes will be retained for at least six (6) years after a user's account becomes inactive. Routine records will be disposed of when the agency determines they are no longer needed for administrative, legal, audit, research, or other operational purposes, but no less than six (6) years from date of last account activity. These retention and disposal statements are pursuant to the currently applicable NARA General Records Schedule GRS 3.2 Item 031.

PHYSICAL, PROCEDURAL, AND ADMINISTRATIVE SAFEGUARDS:

1. Access to and use of the My Health e Vet Administrative Records are limited to those persons whose official duties require such access. VA has established security controls and procedures to ensure that access is appropriately limited. Information Security Officers and system data stewards review and authorize data access requests. VA regulates data access with security software that authenticates My Health e Vet administrative users and requires individually unique codes and passwords. VA provides Information Security training to all staff and instructs staff on the responsibility each person has for safeguarding data confidentiality. VA regularly updates security standards and procedures that are applied to systems and individuals supporting this program.

2. Physical access to computer rooms housing the My Health e Vet Administrative Records is restricted to authorized staff and protected by a variety of security devices. The Federal Protective Service or other security personnel provide physical security for the buildings housing computer systems and data centers.

3. Data transmissions between operational systems and My Health e Vet Administrative Records maintained by this system of records are protected by telecommunications security software and hardware as prescribed by Federal security and privacy laws as well as VA standards and practices. This includes firewalls, encryption, and other security measures necessary to safeguard data as it travels across the VA Wide Area Network.

4. Copies of back-up computer files are maintained at secure off-site locations.

SYSTEM MANAGER(S):

Official responsible for policies and procedures: Director of Veterans and Consumers Health Informatics Office, 8455 Colesville Road, Suite 1200, Silver Spring, Maryland 20910. Officials maintaining this system of record: VHA facilities (address locations for VHA facilities are listed in VA Appendix 1 of the biennial publications of the VA systems of records) and the My Health e Vet Chief Information Officer, 55 Foothill Drive, Suite 400, Salt Lake City, Utah 84113.

RECORD ACCESS PROCEDURE:

Individuals seeking information regarding access to and/or contesting of records in this system may write or call their local VHA facility and/or the My Health e Vet Chief Information Officer, 55 Foothill Drive, Suite 400, Salt Lake City, Utah 84113.

CONTESTING RECORD PROCEDURES:

(See Record Access Procedures above.)

NOTIFICATION PROCEDURE:

Individuals who wish to determine whether a record is being maintained under their name in this system or wish to determine the contents of such records have two options:

1. Submit a written request or apply in person to the VHA facility where the records are located. VHA facility location information can be found in the Facilities Locator section of VA's Web site at http://www.va.gov;; or

2. Submit a written request or apply in person to the My Health e Vet Chief Information Officer, 55 Foothill Drive, Suite 400, Salt Lake City, Utah 84113.

Inquiries should include the person's full name, user ID, date of birth, and return address.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.