75 FR 102 pgs. 29818-29822 - Privacy Act of 1974; System of Records
Type: NOTICEVolume: 75Number: 102Pages: 29818 - 29822
FR document: [FR Doc. 2010-12758 Filed 5-26-10; 8:45 am]
Agency: Veterans Affairs Department
Official PDF Version: PDF Version
DEPARTMENT OF VETERANS AFFAIRS
Privacy Act of 1974; System of Records
AGENCY:
Department of Veterans Affairs (VA).
ACTION:
Notice of Amendment to System of Records.
SUMMARY:
As required by the Privacy Act of 1974, 5 U.S.C. 552a(e), notice is hereby given that the Department of Veterans Affairs (VA) is amending the system of records currently entitled "Veteran, Patient, Employee, and Volunteer Research and Development Project Records-VA" (34VA12) as set forth in the Federal Register 40 FR 38095, dated August 26, 1975 and last amended in 59 FR 16705, dated March 27, 2001. VA is amending the system by revising the System Location, Categories of Individuals Covered by the System, Categories of Records in the System, Purpose, Routine Uses of Records Maintained in the System, Storage, Safeguards, Retention and Disposal, and Records Sources Categories. VA is republishing the system notice in its entirety.
DATES:
Comments on the amendment of this system of records must be received no later than June 28, 2010. If no public comment is received, the amended system will become effective June 28, 2010.
ADDRESSES:
Written comments may be submitted through http://www.Regulations.gov; by mail or hand-delivery to Director, Regulations Management (02Reg), Department of Veterans Affairs, 810 Vermont Avenue, NW., Room 1068, Washington, DC 20420; or by fax to (202) 273-9026. Comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8 a.m. and 4:30 p.m., Monday through Friday (except holidays). Please call (202) 461-4902 (this is not a toll-free number) for an appointment. In addition, during the comment period, comments may be viewed online through the Federal Docket Management System (FDMS) at http://www.Regulations.gov.
FOR FURTHER INFORMATION CONTACT:
Veterans Health Administration (VHA) Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420; telephone (704) 245-2492.
SUPPLEMENTARY INFORMATION:
Categories of individuals covered by the system has been amended to add members of research committees or subcommittees. In addition research and development employees.
Categories of records in the system has been amended to include electronic or other databases containing research information developed during a research project(s) or for future research; and research information systems such as the Research and Development Information System (RDIS). In addition, the purpose has been expanded to include the development programs within research.
Routine use 9 has been amended in its entirety. Routine use 20 was added to disclose information to other Federal agencies that may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs. This routine use permits disclosures by the Department to report a suspected incident of identity theft and provide information and/or documentation related to or in support of the reported incident.
Routine use 21 was added so that the VA may, on its own initiative, disclose any information or records to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that the integrity or confidentiality of information in the system of records has been compromised; (2) the Department has determined that as a result of the suspected or confirmed compromise, there is a risk of embarrassment or harm to the reputations of the record subjects, harm to economic or property interests, identity theft or fraud, or harm to the security, confidentiality, or integrity of this system or other systems or programs (whether maintained by the Department or another agency or entity) that rely upon the potentially compromised information; and (3) the disclosure is to agencies, entities, or persons whom VA determines are reasonably necessary to assist or carry out the Department's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. This routine use permits disclosures by the Department to respond to a suspected or confirmed data breach, including the conduct of any risk analysis or provision of credit protection services as provided in 38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727.
The Privacy Act permits the VA to disclose information about individuals without their consent for a routine use when the information will be used for a purpose that is compatible with the purpose for which we collected the information. In all of the routine use disclosures described above, the recipient of the information will use the information in connection with a matter relating to one of VA's programs, will use the information to provide a benefit to the VA, or disclosure is required by law.
Under section 264, Subtitle F of Title II of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Public Law 104-191, 100 Stat. 1936, 2033-34 (1996), the United States Department of Health and Human Services (HHS) published a final rule, as amended, establishing Standards for Privacy of Individually-Identifiable Health Information, 45 CFR Parts 160 and 164. The VA Veterans Health Administration may not disclose individually identifiable health information (as defined in HIPAA and the Privacy Rule, 42 U.S.C. 1320(d)(6) and 45 CFR 164.501) pursuant to a routine use unless either: (a) The disclosure is required by law, or (b) the disclosure is also permitted or required by the HHS Privacy Rule. The disclosures of individually-identifiable health information contemplated in the routine uses published in this amended system of records notice are permitted under the Privacy Rule or required by law. However, to also have authority to make such disclosures under the Privacy Act, VA must publish these routine uses. Consequently, VA is publishing these routine uses and is adding a preliminary paragraph to the routine uses portion of the system of records notice stating that any disclosure pursuant to the routine uses in this system of records notice must be either required by law or permitted by the Privacy Rule before VHA may disclose the covered information.
The Report of Intent to Amend a System of Records Notice and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of the Office of Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.
Approved: April 26, 2010.
John R. Gingrich,
Chief of Staff, Department of Veterans Affairs.
34VA12
SYSTEM NAME:
"Veteran, Patient, Employee, and Volunteer Research and Development Project Records-VA."
SYSTEM LOCATION:
Records are maintained at each VA health care facility where the research project was conducted, at VA facilities where research administration or oversight activities occur, and at VA Central Office (VACO). Address locations are listed in VA Appendix 1 of the biennial Privacy Act Issuance publication. In addition, records are maintained at contractor and fieldwork sites as studies are developed, data collected and reports written. A list of locations where individually identifiable data are currently located is available from the System Manager.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
The following categories of individuals will be covered by this system: (1) Veterans; (2) patients; (3) employees; (4) volunteers who have indicated their willingness to be a participant in research projects being performed by VA, by a VA contractor or by another Federal agency in conjunction with VA; and (5) members of research committee or subcommittees, (6) research and development investigators, and research development employees.
CATEGORIES OF RECORDS IN THE SYSTEM:
Records, or information contained in records, vary according to the specific research involved or research related activity involved and may include: (1) Research on biomedical, prosthetic and health care services; (2) research stressing spinal cord injuries and diseases and other disabilities that tend to result in paralysis of the lower extremities; and (3) morbidity and mortality studies on former prisoners of war, (4) research related to injuries sustained while on active duty military service such as traumatic amputations, traumatic brain injury, and burns; (5) electronic or other databases containing research information developed during a research project(s) or for future research; (6) research information systems such as the Research and Development Information System (RDIS); (7) copies of medical records of research participants; (8) merit review of the research projects; (9) review and evaluation of proposed research; (10) continuing review and oversight of ongoing research; (11) evaluation of research committees, and (12) a review and evaluation of the research and development investigators and of the participants in the program. The review and evaluation information concerning the research and development investigators may include personal and educational background information as well as specific information concerning the type of research conducted. Invention records contain: a certification page, describing the place, time, research support related to the invention and co-inventors; Technology Transfer Program Invention Evaluation Sheet Internal or External Invention Assessment reports; Research and Development Information System (RDIS) reports or other research information system reports on research support related to the invention; Correspondence; and the Office of General Counsel Letter of Determination.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Title 38, United States Code, Section 7301.
PURPOSE(S):
The records and information may be used to determine eligibility for research funding, to determine handling of intellectual properties, to manage proposed and/or approved research endeavors, and to evaluate the research and development program.
Routine uses of records maintained in the system, including categories of users and the purposes of such uses:
To the extent that records contained in the system include information protected by 45 CFR parts 160 and 164, i.e., individually identifiable health information, and 38 U.S.C. 7332, i.e., medical treatment information related to drug abuse, alcoholism or alcohol abuse, sickle cell anemia or infection with the human immunodeficiency virus, that information cannot be disclosed under a routine use unless there is also specific statutory authority in 38 U.S.C. 7332 and regulatory authority in 45 CFR parts 160 and 164 permitting disclosure.
1. Transfer of statistical and other data to Federal, State, and local government agencies and national health organizations to assist in the development of programs.
2. VA may disclose on its own initiative any information in this system, except the names, home addresses, scrambled social security number, and social security number of veterans and their dependents, which is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal or regulatory in nature and whether arising by general or program statute or by regulation, rule or order issued pursuant thereto, to a Federal, State, local, tribal, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule or order. On its own initiative, VA may also disclose the names, scrambled social security number, and social security number addresses of veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto unless a Certificate of Confidentiality has been issued for the research by the National Institutes of Health under section 301(d) of the Public Health Service Act (42 U.S.C. 241(d)).
3. Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.
4. Disclosure may be made to National Archives and Records Administration (NARA), General Services Administration (GSA) in records management inspections conducted under authority of 44 United States Code.
5. Disclosure of medical record data, excluding name, address, scrambled social security number, and social security number (unless name, address, scrambled social security number, and social security number is furnished by the requester) for research purposes determined to be necessary and proper, to epidemiological and other research facilities approved by the Under Secretary for Health.
6. In order to conduct Federal research necessary to accomplish a statutory purpose of an agency, at the written request of the head of the agency, or designee of the head of that agency, the name(s) and address(es) of present or former personnel of the Armed Services and/or their dependents may be disclosed (a) to a Federal department or agency or (b) directly to a contractor of a Federal department or agency. When a disclosure of this information is to be made directly to the contractor, VA may impose applicable conditions on the department, agency or contractor to ensure the appropriateness of the disclosure to the contractor.
7. In order to conduct VA research, names, addresses, and social security numbers may be disclosed to other Federal and state agencies for the purpose of the Federal or state agency disclosing information on the individuals back to VA.
8. Upon request for research project data from VA approved research, the following information will be released to the general public, including governmental and non-governmental agencies and commercial organizations: Project title and number; name and educational degree of principal investigator unless the release of this information would place the investigator at risk (physical, professional, etc. ); VHA medical center location; type (initial, progress, or final) and date of last report; name and educational degree of associate investigators unless the release of this information would place the investigator at risk (physical, professional, etc. ); project abstract if the project is ongoing, and project summary if the project has been completed. In addition, upon specific request, keywords and indexing codes will be included for each project.
9. Upon request for information regarding VA employees conducting research, the following information will be released to the general public, including governmental agencies and commercial organizations: Name and educational degree of investigator; VHA title; academic affiliation and title; hospital service; primary and secondary specialty areas and subspecialty unless the release of this information would place the investigator at risk (physical, professional, etc.).
10. A record from this system of records may be disclosed to a Federal agency, state or local government licensing board and/or to the Federation of State Medical Boards or a similar non-government entity, upon its request for use in the issuance of a security clearance, the investigation of an employee, the letting of a contract, or the issuance of a license, grant or other benefit by the requesting agency, to the extent that the information is relevant and necessary to the requesting that organization's decision on the matter.
11. Identifying information in this system, including name, address, social security number and other information as is reasonably necessary to identify such individual, may be disclosed to the National Practitioner Data Bank at the time of hiring or clinical privileging/reprivileging of health care practitioners, and other times as deemed necessary by VA, in order for VA to obtain information relevant to a Department decision concerning the hiring, privileging/reprivileging, retention or termination of the applicant or employee.
12. Relevant information from this system of records may be disclosed to the National Practitioner Data Bank and State Licensing Board in the States in which a practitioner is licensed, in which the VA facility is located, or in which an act or omission occurred upon which a medical malpractice claim was based when VA reports information concerning: (a) Any payment for the benefit of a physician, dentist, or other licensed health care practitioner which was made as the result of a settlement or judgment of a claim of medical malpractice of an appropriate determination is made in accordance with agency policy that payment was related to substandard care, professional incompetence or professional misconduct on the part of the individual; (b) a final decision which relates to possible incompetence or improper professional conduct that adversely affects the clinical privileges of a physician or dentist for a period longer than 30 days; or, (c) the acceptance of the surrender of clinical privileges or any restriction of such privileges by a physician or dentist either while under investigation by the health care entity relating to possible incompetence or improper professional conduct, or in return for not conducting such an investigation or proceeding. These records may also be disclosed as part of a computer matching program to accomplish these purposes.
13. Information concerning individuals who have submitted research program proposals for funding, including the investigator's name, social security number, research qualifications and the investigator's research proposal, may be disclosed to qualified reviewers for their opinion and evaluation of the applicants and their proposals as part of the application review process.
14. VA may disclose information from this system of records to the Department of Justice (DoJ), either on VA's initiative or in response to DoJ's request for the information, after either VA or DoJ determines that such information is relevant to DoJ's representation of the United States or any of its components in legal proceedings before a court or each case, the agency also determines prior to disclosure that release of the records to DoJ is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records.
15. Any invention information in this system may be disclosed to affiliated intellectual property partners to aid in the possible use, interest in, or ownership rights in VA intellectual property.
16. VA may disclose information concerning merit review of proposals submitted by an individual to the individual except that information concerning a third party, such as the name or other identifying information about the qualified reviewer of the proposal.
17. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.
18. VA may, on its own initiative, disclose any information or records to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that the integrity or confidentiality of information in the system of records has been compromised; (2) the Department has determined that as a result of the suspected or confirmed compromise there is a risk of embarrassment or harm to the reputations of the record subjects, harm to economic or property interests, identity theft or fraud, or harm to the security, confidentiality, or integrity of this system or other systems or programs (whether maintained by the Department or another agency or entity) that rely upon the potentially compromised information; and (3) the disclosure is to agencies, entities, or persons whom VA determines are reasonably necessary to assist or carry out the Department's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. This routine use permits disclosures by the Department to respond to a suspected or confirmed data breach, including the conduct of any risk analysis or provision of credit protection services as provided in 38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727.
19. Disclosure of relevant information may be made to individuals, organizations, private or public agencies, or other entities with whom VA has a contract or agreement or where there is a subcontract to perform such services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor or subcontractor to perform the services of the contract or agreement.
Disclosure to consumer reporting agencies:
Reports of all transactions dealing with data will be used within VA and will not be provided to any consumer-reporting agency.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
(1) Paper documents (2) Microscope slides (3) Magnetic tape or disk or other electronic media (4) Photographs and (5) Microfilm.
RETRIEVABILITY:
Records are retrieved by individual identifiers and indexed by a specific project site or location, project number, or under the name of the research or development investigator.
SAFEGUARDS:
This list of safeguards furnished in this System of Record is not an exclusive list of measures that has been, or will be, taken to protect individually-identifiable information. VHA will maintain the data in compliance with applicable VA security policy directives that specify the standards that will be applied to protect sensitive personal information. Physical Security: Access to VA working space and medical record storage areas is restricted to VA employees on a "need to know" basis.
Generally, VA file areas are locked after normal duty hours and protected from outside access by the Federal Protective Service. Employee file records and file records of public figures or otherwise sensitive medical record files are stored in separate locked files. Strict control measures are enforced to ensure that disclosure is limited to a "need to know" basis.
Access to a contractor's records and their system of computers used with the particular project are available to authorized personnel only. Records on investigators stored on automated storage media are accessible by authorized VA personnel via VA computers or computer systems. They are required to take annual VA mandatory data privacy and security training. Security complies with applicable Federal Information Processing Standards (FIPS) issued by the National Institute of Standards and Technology (NIST). Contractors and their subcontractors who access the data are required to maintain the same level of security as VA staff.
RETENTION AND DISPOSAL:
The records contained in this system have not been scheduled and will be kept indefinitely until such time as they are. The records may not be destroyed until VA obtains an approved records disposition authority from the Archivist of the United States.
SYSTEM MANAGER(S) AND ADDRESS:
Director of Operations, Research and Development (12), Department of Veterans Affairs, 810 Vermont Ave., NW., Washington, DC 20420.
NOTIFICATION PROCEDURE:
Interested persons should write to: Director of Operations, Research and Development (12), Department of Veterans Affairs, 810 Vermont Ave., NW., Washington, DC 20420. All inquiries must reasonably identify the project and site location; date of project and team leader.
RECORD ACCESS PROCEDURE:
Individuals seeking information regarding access to and contesting of records in this system may write, call or visit the VA facility location where they made application for employment or are or were employed.
CONTESTING RECORD PROCEDURES:
(See Record Access Procedures above.)
RECORD SOURCE CATEGORIES:
(1) Patients and patient records (2) employees and volunteers (3) other Federal agencies (4) National Institutes of Health (5) Centers for Disease Control (Atlanta, Georgia) (6) individual veterans (7) other VA systems of records (8) research and development investigators, and (9) research and development databases.
[FR Doc. 2010-12758 Filed 5-26-10; 8:45 am]
BILLING CODE P