Privacy Act of 1974; System of Records

AGENCY:

Department of Veterans Affairs.

ACTION:

Notice of New System of Records “Virtual Lifetime Electronic Record (VLER)-VA” (168VA10P2).

SUMMARY:

The Privacy Act of 1974 (5 U.S.C. 552(e)(4)) requires that all agencies publish in the Federal Register a notice of the existence and character of their systems of records. Notice is hereby given that the Department of Veterans Affairs (VA) is establishing a new system of records entitled “Virtual Lifetime Electronic Record (VLER)-VA” (168VA10P2).

DATES:

Comments on this new system of records must be received no later than June 11, 2012. If no public comment is received during the period allowed for comment or unless otherwise published in the Federal Register by the VA, the new system will become effective June 11, 2012.

ADDRESSES:

Written comments concerning the proposed amended system of records may be submitted through www.regulations.gov;; by mail or hand-delivery to Director, Regulations Management (02REG), Department of Veterans Affairs, 810 Vermont Avenue NW., Room 1068, Washington, DC 20420; or by fax to (202) 273-9026. All comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8:00 a.m. and 4:30 p.m., Monday through Friday (except holidays). Please call (202) 461-4902 for an appointment. In addition, during the comment period, comments may be viewed online through the Federal Docket Management System (FDMS) at www.regulations.gov .

FOR FURTHER INFORMATION CONTACT:

Veterans Health Administration (VHA) Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue NW., Washington, DC 20420, telephone (704) 245-2492.

SUPPLEMENTARY INFORMATION:

I. Description of Proposed Systems of Records

Background

The Virtual Lifetime Electronic Record (VLER) is an overarching program being developed by the Department of Veterans Affairs (VA) as a result of President Obama's direction on April 9, 2009, to the VA and the Department of Defense (DoD) to create the VLER, which will allow the electronic sharing with VA, DoD and NwHIN participants. The purpose of use will include, but not limited to healthcare treatment information, disability adjudication, and benefits.

For this proposed system of records the individuals covered by the system include Veterans and their family members or caregivers; members of the Armed Services, Reserves or National Guard; and VA employees who access information through VLER.

The proposed system of records contains patient demographic information (e.g., name, address, phone numbers, date of birth, social security number, internal control number); patient demographic and health information from external health care providers (e.g., medication listing allergies, consultations and referrals, progress notes, history and physicals, discharge summaries, diagnostic studies and procedure notes, Advanced Directives, problem lists, laboratory reports, lists of procedures and encounters); benefits information (e.g., disability rating, service connection rating); and information on Veterans' preferences for restricting the sharing of their health information (e.g., authorizations, restriction requests, revocation of authorizations). The records include information provided by Veterans and their family members or caregivers, members of the Armed Services, Reserves or National Guard, and VA employees; and information from VA computer systems and databases including, but not limited to, Veterans Health Information Systems and Technology Architecture (VistA)-VA (79VA19) and National Patient Databases-VA (121VA19), VA Medical Centers (VAMC), federal and non-federal VLER/NwHIN partners and the Department of Defense.

The purpose of the system of records is to provide a repository for the clinical and administrative information that is used to accomplish the purposes described. The purpose of use will include, but not be limited to, health care treatment information, disability adjudication, and benefits to the Veteran both within the VA Medical Center and in sharing with partners who are participating through the Nationwide Health Information Network (NwHIN) in the VLER pilots and subsequent national roll-out. Data stored in the VLER Veterans Authorizations and Preferences (VAP) system is used to prepare various management, tracking and follow-up reports that are used to assist in the management and operation of the health care facility, and the planning and delivery of patient medical care. Data may be used to track and evaluate patient care services, the distribution and utilization of resources, and the performance of vendors and employees. The data may also be used for such purposes as scheduling patient treatment services, including nursing care, clinic appointments, survey, diagnostic and therapeutic procedures. Data may also be used to track the ordering, delivery, maintenance and repair of equipment, and for follow-up activities to determine if the actions were accomplished and to evaluate the results.

II. Proposed Routine Use Disclosures of Data in the System

To the extent that records contained in the system include information protected by 45 CFR parts 160 and 164, i.e., individually identifiable health information, and 38 U.S.C. 7332, i.e., medical treatment information related to drug abuse, alcoholism or alcohol abuse, sickle cell anemia, or infection with the human immunodeficiency virus, that information cannot be disclosed under a routine use unless there is also specific statutory authority in 38 U.S.C. 7332 and regulatory authority in 45 CFR parts 160 and 164 permitting disclosure.

VHA is proposing the following routine use disclosures of information to be maintained in the system:

1. On its own initiative, the VA may disclose information, except for the names and home addresses of veterans and their dependents, to a Federal, State, local, tribal or foreign agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto. On its own initiative, the VA may also disclose the names and addresses of veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto. VA must be able to comply with the requirements of agencies charged with enforcing the law and conducting investigations. VA must also be able to provide information to State or local agencies charged with protecting the public's health as set forth in State law.

2. Disclosure may be made to any source from which additional information is requested (to the extent necessary to identify the individual, inform the source of the purpose(s) of the request, and to identify the type of information requested), when necessary to obtain information relevant to an individual's eligibility, care history, or other benefits.

3. Disclosure of information to a NwHIN participant for the purpose of providing care or treatment to VA patients, reimbursement for health care services, or determining eligibility for disability benefits.

4. The record of an individual who is covered by a system of records may be disclosed to a Member of Congress, or a staff person acting for the Member, when the Member or staff person requests the record on behalf of and at the written request of the individual. Individuals sometimes request the help of a member of Congress in resolving some issues relating to a matter before the VA. The member of Congress then writes to the VA, and the VA must be able to give sufficient information to give a response to the inquiry.

5. Disclosure may be made to National Archives and Records Administration (NARA) and the General Services Administration (GSA) in records management inspections conducted under authority of Title 44, Chapter 29, of the United States Code (U.S.C). NARA and GSA are responsible for management of old records no longer actively used, but which may be appropriate for preservation, and for the physical maintenance of the Federal government's records. VA must be able to provide the records to NARA and GSA in order to determine the proper disposition of such records.

6. VA may disclose information from this system of records to the Department of Justice (DoJ), either on VA's initiative or in response to DoJ's request for the information, after either VA or DoJ determines that such information is relevant to DoJ's representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that release of the records to the DoJ is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records.

7. Disclosure may be made to a national certifying body which has the authority to make decisions concerning the issuance, retention or revocation of licenses, certifications or registrations required to practice a health care profession, when requested in writing by an investigator or supervisory official of the national certifying body for the purpose of making a decision concerning the issuance, retention or revocation of the license, certification or registration of a named health care professional. VA must be able to report information regarding the health information a health care practitioner knew about or had access to when making care decisions to a national certifying body charged with maintaining the health and safety of patients by making a decision about a health care professional's license, certification or registration, such as issuance, retention, revocation or other actions such as suspension.

8. VA may disclose information to officials of the Merit Systems Protection Board MSPB), or the Office of Special Counsel, when requested in connection with appeals, special studies of the civil service and other merit systems, review of rules and regulations, investigation of alleged or possible prohibited personnel practices, and such other functions, promulgated in 5 U.S.C. 1205 and 1206, or as authorized by law.

9. VA may disclose information to the Equal Employment Opportunity Commission when requested in connection with investigations of alleged or possible discriminatory practices, examination of Federal affirmative employment programs, or for other functions of the Commission as authorized by law or regulation. VA must be able to provide information to the Commission to assist it in fulfilling its duties to protect employee's rights, as required by statute and regulation.

10. VA may disclose to the Fair Labor Relations Authority (FLRA) (including its General Counsel) information related to the establishment of jurisdiction, the investigation and resolution of allegations of unfair labor practices, or information in connection with the resolution of exceptions to arbitration awards when a question of material fact is raised; to disclose information in matters properly before the Federal Services Impasse Panel, and to investigate representation petitions and conduct or supervise representation elections. VA must be able to provide information to FLRA to comply with the statutory mandate under which it operates.

11. Disclosures of relevant information may be made to individuals, organizations, private or public agencies, or other entities with whom VA has a contract or agreement or where there is a subcontract to perform the services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor or subcontractor to perform the services of the contract or agreement. This routine use includes disclosures by the individual or entity performing the service for VA to any secondary entity or individual to perform an activity that is necessary for individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to provide the service to VA.

12. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.

13. VA may, on its own initiative, disclose any information or records to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that the integrity or confidentiality of information in the system of records has been compromised; (2) the Department has determined that as a result of the suspected or confirmed compromise, there is a risk of embarrassment or harm to the reputations of the record subjects, harm to economic or property interests, identity theft or fraud, or harm to the security, confidentiality, or integrity of this system or other systems or programs (whether maintained by the Department or another agency or disclosure is to agencies, entities, or persons whom VA determines are reasonably necessary to assist or carry out the Department's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. This routine use permits disclosures by the Department to respond to a suspected or confirmed data breach, including the conduct of any risk analysis or provision of credit protection services as provided in 38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727.

14. VA may disclose information from this system to a Federal agency for the purpose of conducting research and data analysis to perform a statutory purpose of that Federal agency upon the prior written request of that agency, provided that there is legal authority under all applicable confidentiality statutes and regulations to provide the data and VA has determined prior to the disclosure that the VA data handling requirements are satisfied. The purpose of this disclosure is to aid other Federal agency conduct of government research to accomplish a statutory purpose of that agency.

III. Compatibility of the Proposed Routine Uses

The Privacy Act permits the VA to disclose information about individuals without their consent for a routine use when the information will be used for a purpose that is compatible with the purpose for which the VA collected the information. In all of the routine use disclosures described above, either the recipient of the information will use the information in connection with a matter relating to one of VA's programs, will use the information to provide a benefit to the VA, or disclosure is required by law.

The notice of intent to publish and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of the Office of Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

SOR #168VA10P2

SYSTEM NAME:

Virtual Lifetime Electronic Record (VLER).

SYSTEM LOCATION:

Records are maintained at Department of Veterans Affairs (VA), Austin Information Technology Center (AITC), 1615 Woodward Street, Austin, TX 78772.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The records contain information on Veterans and the family members or caregivers; members of the armed services, Reserves or National Guard; and VA employees who access information through VLER.

CATEGORIES OF RECORDS IN THE SYSTEM:

The records may include patient demographic information (e.g., name, address, phone numbers, date of birth, social security number); patient demographic and health information from external health care providers (e.g., medication listing allergies, consultations and referrals, history and physicals, discharge summaries, diagnostic studies and procedure notes, Advanced Directives, problem lists, laboratory reports, lists of procedures and encounters); benefits information (e.g., disability rating, service connection rating); and information on Veterans' preferences for restricting the sharing of their health information (e.g., authorizations, restriction requests, revocation of authorizations).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Title 38, United States Code, Section 501.

PURPOSE (S):

The records and information may be used for the ongoing communication of current healthcare data among VLER/Nationwide Health Information Network (NwHIN) partners, Department of Defense (DoD) and VA to promote improved quality of patient care, reduce duplicative ordering of tests, services and pharmaceuticals; for statistical analysis to produce various management, workload tracking, and follow-up reports; to track and evaluate the ordering and delivery of equipment, services and patient care; for the planning, distribution and utilization of resources; to monitor the performance of Veterans Integrated Service Networks (VISN); and to allocate clinical and administrative support to patient to include but not limited to Healthcare treatment, disability adjudication, and benefits.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

To the extent that records contained in the system include information protected by 38 U.S.C. 7332, i.e., medical treatment information related to drug abuse, alcoholism or alcohol abuse, sickle cell anemia or infection with the human immunodeficiency virus, that information cannot be disclosed under a routine use unless there is also specific statutory authority permitting disclosure.

VA may disclose protected health information pursuant to the following routine uses where required by law, or required or permitted by 45 CFR Parts 160 and 164.

1. On its own initiative, the VA may disclose information, except for the names and home addresses of veterans and their dependents, to a Federal, State, local, tribal or foreign agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto.

2. Disclosure may be made to any source from which additional information is requested (to the extent necessary to identify the individual, inform the source of the purpose(s) of the request, and to identify the type of information requested), when necessary to obtain information relevant to an individual's eligibility, care history, or other benefits.

3. Disclosure of information to a NwHIN participant for the purpose of providing care or treatment to VA patients, reimbursement for health care services, or determining eligibility for government disability benefits.

4. The record of an individual who is covered by a system of records may be disclosed to a Member of Congress, or a staff person acting for the Member, when the Member or staff person requests the record on behalf of and at the written request of the individual.

5. Disclosure may be made to National Archives and Records Administration (NARA) and the General Services Administration (GSA) in records management inspections conducted under authority of Title 44, Chapter 29, of the United States Code (U.S.C.).

6. VA may disclose information from this system of records to the Department of Justice (DoJ), either on VA's initiative or in response to DoJ's request for the information, after either VA or DoJ determines that such information is relevant to DoJ's representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that release of the records to the DoJ is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records.

7. Disclosure may be made to a national certifying body which has the authority to make decisions concerning the issuance, retention or revocation of licenses, certifications or registrations required to practice a health care profession, when requested in writing by an investigator or supervisory official of the national certifying body for the purpose of making a decision concerning the issuance, retention or revocation of the license, certification or registration of a named health care professional.

8. VA may disclose information to officials of the Merit Systems Protection Board MSPB), or the Office of Special Counsel, when requested in connection with appeals, special studies of the civil service and other merit systems, review of rules and regulations, investigation of alleged or possible prohibited personnel practices, and such other functions, promulgated in 5 U.S.C. 1205 and 1206, or as authorized by law.

9. VA may disclose information to the Equal Employment Opportunity Commission when requested in connection with investigations of alleged or possible discriminatory practices, examination of Federal affirmative employment programs, or for other functions of the Commission as authorized by law or regulation.

10. VA may disclose to the Fair Labor Relations Authority (FLRA) (including its General Counsel) information related to the establishment of jurisdiction, the investigation and resolution of allegations of unfair labor practices, or information in connection with the resolution of exceptions to arbitration awards when a question of material fact is raised; to disclose information in matters properly before the Federal Services Impasse Panel, and to investigate representation petitions and conduct or supervise representation elections.

11. Disclosures of relevant information may be made to individuals, organizations, private or public agencies, or other entities with whom VA has a contract or agreement or where there is a subcontract to perform the services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor or subcontractor to perform the services of the contract or agreement.

12. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.

13. VA may, on its own initiative, disclose any information or records to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that the integrity or confidentiality of information in the system of records has been compromised; (2) the Department has determined that as a result of the suspected or confirmed compromise, there is a risk of embarrassment or harm to the reputations of the record subjects, harm to economic or property interests, identity theft or fraud, or harm to the security, confidentiality, or integrity of this system or other systems or programs (whether maintained by the Department or another agency or disclosure is to agencies, entities, or persons whom VA determines are reasonably necessary to assist or carry out the Department's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. This routine use permits disclosures by the Department to respond to a suspected or confirmed data breach, including the conduct of any risk analysis or provision of credit protection services as provided in 38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727.

14. VA may disclose information from this system to a Federal agency for the purpose of conducting research and data analysis to perform a statutory purpose of that Federal agency upon the prior written request of that agency, provided that there is legal authority under all applicable confidentiality statutes and regulations to provide the data and VA has determined prior to the disclosure that the VA data handling requirements are satisfied.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:

STORAGE:

Records are maintained on electronic storage media including magnetic tape, disk, laser optical media.

RETRIEVABILITY:

Records are retrieved by name, social security number or other assigned identifiers of the individuals on whom they are maintained. For reporting purposes records can also be retrieved by Internal Control Number (ICN), date of service or access by providers, facility, and by organizational user name.

SAFEGUARDS:

1. Access to and use of national administrative databases, warehouses, and data marts are limited to those persons whose official duties require such access, and the VA has established security procedures to ensure that access is appropriately limited. Information security officers and system data stewards review and authorize data access requests. VA regulates data access with security software that authenticates users and requires individually unique codes and passwords. VA provides information security training to all staff and instructs staff on the responsibility each person has for safeguarding data confidentiality.

2. Physical access to computer rooms housing national administrative databases, warehouses, and data marts is restricted to authorized staff and protected by a variety of security devices. Unauthorized employees, contractors, and other staff are not allowed in computer rooms. The Federal Protective Service or other security personnel provide physical security for the buildings housing computer rooms and data centers.

3. Data transmissions between operational systems and national administrative databases, warehouses, and data marts maintained by this system of record are protected by state of the art telecommunication software and hardware. This may include firewalls, intrusion detection devices, encryption, and other security measures necessary to safeguard data as it travels across the VA Wide Area Network.

4. In most cases, copies of back-up computer files are maintained at off-site locations.

RETENTION AND DISPOSAL:

In accordance with the records disposition authority approved by the Archivist of the United States, health information stored on electronic media storage is maintained for seventy-five (75) years after the last episode of patient care and then deleted.

SYSTEM MANAGER (S) AND ADDRESS:

Official maintaining this system of records and responsible for policies and procedures is Director Standards and Interoperability, Chief Health Informatics Office/Office of Informatics and Analytics/Veterans Health Information, Department of Veterans Affairs, 810 Vermont Avenue NW., Washington, DC 20420.

NOTIFICATION PROCEDURE:

Individuals who wish to determine whether this system of records contains information about them should contact their closest VA Medical Center (VAMC). Inquiries should include the person's full name, social security number, location and dates of treatment or location and dates of employment and their return address.

RECORD ACCESS PROCEDURE:

Individuals seeking information regarding access to and contesting of records in this system may write the Director Standards and Interoperability, Chief Health Informatics Office/Office of Informatics and Analytics/Veterans Health Information, Department of Veterans Affairs, 810 Vermont Avenue NW., Washington, DC 20420.

CONTESTING RECORD PROCEDURES:

(See Record Access Procedures above.)

RECORD SOURCE CATEGORIES:

Information in this system of records is provided by Veterans and their family members or caregivers, members of the Armed Services, Reserves or National Guard, VA employees, VA computer systems, Veterans Health Information Systems and Technology Architecture (VistA)-VA (79VA19), National Patient Databases-VA (121VA19), Patient Medical Record—VA (24VA19), federal and non-federal VLER/NwHIN partners and Department of Defense.