Privacy Act; Systems of Records

Federal Register: May 8, 2008 (Volume 73, Number 90)

Notices

Page 26192-26197

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

DOCID:fr08my08-154

DEPARTMENT OF VETERANS AFFAIRS

Privacy Act of 1974

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of Amendment of Systems of Records.

SUMMARY: As required by the Privacy Act of 1974, 5 U.S.C. 552a(e), notice is hereby given that VA is amending its system of records currently entitled ``Healthcare Eligibility Records--VA'' (89VA19) as established in the Federal Register, 59 FR 8677 (Feb. 23, 1994), and last amended at 66 FR 27752 (May 18, 2001). VA is amending the system by renaming the system to ``Income Verification Records--VA'' and renumbering the system to 89VA16, as well as revising the ``Description of Systems of Records''; ``Routine Use Disclosures of Data in the

System''; ``Categories of Records in the System''; ``Routine Uses of

Records Maintained in the System''; and ``Retrievability.'' VA is republishing the system notice in its entirety at this time.

DATES: Comments on the amendment of this system of records must be received no later than June 9, 2008. If no public comment is received during the period allowed for comment or unless otherwise published in the Federal Register by VA, the amended system will become effective

June 9, 2008.

Page 26193

ADDRESSES: Written comments may be submitted through http:// www.Regulations.gov; by mail or hand-delivery to the Director,

Regulations Management (00REG), Department of Veterans Affairs, 810

Vermont Ave., NW., Room 1068, Washington, DC 20420; or by fax to (202) 273-9026. Copies of comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8 a.m. and 4:30 p.m. Monday through Friday

(except holidays). Please call (202) 273-9515 for an appointment. In addition, during the comment period, comments may be viewed online through the Federal Docket Management System (FDMS) at www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: Stephania H. Putt, Veterans Health

Administration (VHA) Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420, telephone (704) 245- 2492.

SUPPLEMENTARY INFORMATION:

1. Description of Revised Systems of Records

   Public Law 101-508, the Omnibus Budget Reconciliation Act of 1990, provides VA the authority to verify veterans' income to determine eligibility for medical benefits. VA's Health Eligibility Center (HEC) in Atlanta, Georgia, originally established as the Income Verification

   Match Center (IVMC), has authority under section 8051 to verify veterans' income with the Internal Revenue Service (IRS) and Social

   Security Administration (SSA). With the establishment of a new system of records, ``Enrollment and Eligibility Records--VA'' (147VA16), for certain purposes of ``Health Eligibility Records--VA'' (89VA19), the latter is being renamed to ``Income Verification Records--VA'' and being revised to better reflect the purpose and description of the records and the organizational location of the system of records.

2. Proposed Amendment to Routine Use Disclosures of Data in the System

   VA is amending the following routine uses:

   VA is rewriting routine use number three (3) in its entirety.

   VA is adding routine use number sixteen (16) to allow for the disclosure of information to other agencies, entities, and persons to respond to a data breach.

   VA is adding routine use number (17) to allow for the disclosure of information to officials of the Merit Systems Protection

   Board, or the Office of Special Counsel when investigating appeals.

   VA is adding routine use (18) to allow for the disclosure of information to the Federal Labor Relations Authority when resolving unfair labor practices.

   VA is amending routine use numbers two (2) through eleven

   (11) and routine use number thirteen (13) to reflect the exception of

   Federal Tax Information (FTI) from the records that may be disclosed pursuant to these routine uses.

   The Department has made minor edits to the System Notice for grammar and clarity purposes, including changes to routine uses. These changes are not, and are not intended to be, substantive, and are not further discussed or enumerated.

3. Compatibility of the Proposed Routine Uses

   The Privacy Act permits VA to disclose information about individuals without their consent for a routine use when the information will be used for a purpose that is compatible with the purpose for which we collected the information. In all of the routine use disclosures, the recipient of the information will use the information in connection with a matter relating to one of VA's programs, will use the information to provide a benefit to VA, or the disclosure is required by law.

   Under section 264, Subtitle F of Title II of the Health Insurance

   Portability and Accountability Act of 1996 (HIPAA) Public Law 104-191, 100 Stat. 1936, 2033-34 (1996), the United States Department of Health and Human Services (HHS) published a final rule, as amended, establishing Standards for Privacy of Individually-Identifiable Health

   Information, 45 CFR Parts 160 and 164. VA may not disclose individually identifiable health information (as defined in HIPAA and the Privacy

   Rule, 42 U.S.C. 1320(d)(6) and 45 CFR 164.501) pursuant to a routine use unless either: (a) The disclosure is required by law, or (b) the disclosure is also permitted or required by the HHS Privacy Rule. The disclosures of individually identifiable health information contemplated in the routine uses published in this amended system of records notice are permitted under the Privacy Rule or required by law.

   However, to also have authority to make such disclosures under the

   Privacy Act, VA must publish these routine uses. Consequently, VA is publishing these routine uses and is adding a preliminary paragraph to the routine uses portion of the system of records notice stating that any disclosure pursuant to the routine uses in this system of records notice must be either required by law or permitted by the Privacy Rule before VA may disclose the covered information.

   The notice of intent to publish and an advance copy of this revised system of records notice have been sent to the appropriate

   Congressional committees and to the Director of Office of Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

   Approved: April 25, 2008.

   Gordon H. Mansfield,

   Deputy Secretary of Veterans Affairs. 89VA19

   SYSTEM NAME:

   Income Verification Records--VA (89VA19)

   SYSTEM LOCATION:

   Records are maintained at VA's Health Eligibility Center (HEC) in

   Atlanta, Georgia, and Austin Automation Center (AAC) in Austin, Texas.

   Records are also stored at contracted locations in McLean, Virginia, and Atlanta, Georgia.

   CATEGORIES OF INDIVIDUALS COVERED BY THIS SYSTEM:

   Veterans who have applied for or have received VA health care benefits under Title 38, United States Code, Chapter 17; veterans' spouses and other dependents as provided for in other provisions of

   Title 38, United States Code.

   CATEGORIES OF RECORDS IN THE SYSTEM

   The category of records in the system includes:

   Federal Tax Information (FTI) and social security information generated as a result of computer matching activity with records from the IRS and SSA. The records may also include, but are not limited to, correspondence between HEC, veterans, their family members, and veterans' representatives such as Veteran Service Officers (VSOs); copies of death certificates; Notice of Separation; disability award letters; IRS documents (e.g., Form 1040s, Form 1099s, W-2s); workers compensation forms; and various annual earnings statements, as well as pay stubs and miscellaneous receipts.

   Note: VA may not disclose to any person in any manner any document that contains FTI received from IRS or SSA in accordance with the Internal Revenue Code (IRC) 26 U.S.C. 6103(l)(7). In addition, VA may not allow access to FTI by any contractor or subcontractor.

   Page 26194

   AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

   Title 38, United States Code, Sections 501(a), 1705, 1710, 1722, and 5317.

   PURPOSE(S):

   Information in this system of records is used to verify the household income of certain veterans and, if relevant, their spouses or dependents receiving VA health care benefits. The information in this system of records is also used to validate veterans' and their spouses' social security numbers; provide educational materials related to income verification; respond to veteran and non-veteran inquiries related to income verification; and compile management reports.

   ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES

   OF USERS AND THE PURPOSES OF SUCH USES:

   To the extent that records contained in this system include information protected by 26 U.S.C. 6103(p)(4), i.e., the nature, source and amount of income, that information may not be disclosed under a

   Routine Use set forth absent specific authorization from the IRS or the

   VA Office of General Counsel (024).

   VA may disclose protected health information pursuant to the following routine uses where required by law, or required or permitted by 45 CFR Parts 160 and 164: 1. VA may disclose the record of an individual who is covered by this system to a member of Congress or staff person acting for the member in response to an inquiry made at the request of that individual. 2. VA may disclose any information in this system of records, except Federal Tax Information (FTI), as deemed necessary and proper to named individuals serving as accredited service organization representatives and other individuals named as approved agents or attorneys for a documented purpose, period of time, or specific income year, to aid beneficiaries in the preparation and presentation of their cases during the verification and/or due process procedures and in the presentation and prosecution of claims under laws administered by VA. 3. VA may disclose, on its own initiative, any information in this system, except the names, home addresses, or FTI of veterans and their dependents, which is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal or regulatory in nature and whether arising by general or program statute or by regulation, rule or order issued pursuant thereto, to a Federal, State, local, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule, or order. Additionally, VA may also disclose the names and addresses of veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal, or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule, or order issued pursuant thereto. 4. VA may disclose relevant information in this system, except FTI, in the course of presenting evidence to a court, magistrate, or administrative tribunal; in matters of guardianship, inquests, and commitments; to private attorneys representing veterans rated incompetent in conjunction with issuance of Certificates of

   Incompetency; and to probation and parole officers in connection with court-required duties. 5. VA may disclose information in this system, except FTI, to a VA

   Federal fiduciary or a guardian ad litem in relation to his or her representation of a veteran in any legal proceeding, but only to the extent necessary to fulfill the duties of the fiduciary or the guardian ad litem. 6. VA may disclose relevant information in this system, except FTI, to attorneys, insurance companies, employers, third parties liable or potentially liable under health plan contracts, and to courts, boards, or commissions, but only to the extent necessary to aid VA in the preparation, presentation, and prosecution of claims authorized under

   Federal, State, or local laws, and regulations promulgated thereunder. 7. VA may disclose information in this system of records to the

   Department of Justice (DoJ), either on VA's initiative or in response to DoJ's request for the information, after either VA or DoJ determines that such information is relevant to DoJ's representation of the United

   States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that disclosure of the records to the

   Department of Justice is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. 8. VA may disclose any information in this system, except FTI, to

   National Archives and Records Administration (NARA) and General

   Services Administration (GSA) in records management inspections conducted under Title 44 of United States Code. 9. VA may disclose information in this system, except FTI, to a third party, except consumer reporting agencies, in connection with any proceeding for the collection of an amount owed to the United States by virtue of a person's participation in any benefit program administered by VA, but only to the extent that it is reasonably necessary to (a) assist VA in the collection of costs of services provided individuals not entitled to such services; and (b) initiate civil or criminal legal actions for collecting amounts owed to the United States and/or for prosecuting individuals who willfully or fraudulently obtained or seek to obtain Title 38 medical benefits. This disclosure is consistent with 38 U.S.C. 5701(b)(6). 10. VA may disclose the names and address of veterans or their dependents and other information as is reasonably necessary to identify such individual concerning that individual's indebtedness to the United

   States by virtue of the person's participation in a benefits program administered by VA to a consumer reporting agency for purposes of assisting in the collection of such indebtedness, provided that the provisions of 38 U.S.C. 5701(g)(4) have been met. 11. VA may disclose information from this system, except FTI, or information security review purposes to other source Federal agencies who are parties to computer matching agreements involving the information maintained in this system, but only to the extent that the information is necessary and relevant to the review. 12. VA may disclose the name and other identifying information of veterans and their spouses to reported payers of earned or unearned income in order to verify the identifier provided, address, income paid, period of employment, and health insurance information provided on the means test, and to confirm income and demographic data provided by other Federal agencies during income verification computer matching. 13. VA may disclose identifying information other than FTI, such as veterans' and their dependents' social security numbers, to other

   Federal agencies for purposes of conducting computer matches to obtain valid

   Page 26195

   identifying, demographic, and income information and to verify eligibility of certain veterans who are receiving VA medical benefits under Title 38, United States Code, or for the purpose of conducting a computer match to obtain information to validate social security numbers maintained in VA records. 14. VA may disclose the name and social security number of a veteran, spouse and dependents, and other identifying information as is reasonably necessary to the Social Security Administration, Department of Health and Human Services, for the purpose of conducting a computer match to obtain information to validate the social security numbers maintained in VA records. 15. VA may disclose relevant information from this system to individuals, organizations, private or public agencies, etc., with whom

   VA has a contract or agreement to perform such services as VA may deem practicable for the purposes of laws administered by VA in order for the contractor or subcontractor to perform the services of the contract or agreement.

   Note: This routine use does not authorize disclosure of FTI received from the Internal Revenue Service or the Social Security

   Administration to contractors or subcontractors. 16. VA may, on its own initiative, disclose any information or records to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that the integrity or confidentiality of information in the system of records has been compromised; (2) the

   Department has determined that as a result of the suspected or confirmed compromise there is a risk of embarrassment or harm to the reputations of the record subjects, harm to economic or property interests, identity theft or fraud, or harm to the security, confidentiality, or integrity of this system or other systems or programs (whether maintained by the Department or another agency or entity) that rely upon the potentially compromised information; and (3) the disclosure is to agencies, entities, or persons whom VA determines are reasonably necessary to assist or carry out the Department's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. This routine use permits disclosures by the Department to respond to a suspected or confirmed data breach, including the conduct of any risk analysis or provision of credit protection services as provided in 38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727. 17. VA may disclose information to officials of the Merit Systems

   Protection Board, or the Office of Special Counsel, when requested in connection with appeals, special studies of the civil service and other merit systems, review of rules and regulations, investigation of alleged or possible prohibited personnel practices, and such other functions, promulgated in 5 U.S.C. 1205 and 1206, or as may be authorized by law. 18. VA may disclose information to the Federal Labor Relations

   Authority (including its General Counsel) information related to the establishment of jurisdiction, the investigation and resolution of allegations of unfair labor practices, or information in connection with the resolution of exceptions to arbitration awards when a question of material fact is raised; to disclose information in matters properly before the Federal Services Impasses Panel, and to investigate representation petitions and conduct or supervise representation elections.

   POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING

   AND DISPOSING OF RECORDS IN THE SYSTEM:

   STORAGE:

   Records are maintained on magnetic tape, magnetic disk, optical disk, and paper.

   RETRIEVABILITY:

   Records (or information contained in records) maintained on paper documents are indexed and accessed by the applicant's name, social security number or case number and filed in case order number.

   Automated records are indexed and retrieved by the veteran's name, social security number, ICN, or case number. The spouse's name or social security number may be retrieved from the automated income verification record.

   ACCESS: 1. In accordance with national and locally established data security procedures, access to the HEC Legacy system and the Enrollment

   Database is controlled by unique entry codes (access and verification codes). The user's verification code is set to be changed automatically every 90 days. User access to data is controlled by role-based access as determined necessary by supervisory and information security staff as well as by management of option menus available to the employee.

   Determination of such access is based upon the role or position of the employee and functionality necessary to perform the employee's assigned duties. 2. On an annual basis, employees are required to sign a computer access agreement acknowledging their understanding of confidentiality requirements. In addition, all employees receive annual privacy awareness and information security training. Access to electronic records is deactivated when no longer required for official duties.

   Recurring monitors are in place to ensure compliance with nationally and locally established security measures. 3. Access to the AAC is generally restricted to AAC staff, VA

   Headquarters employees, custodial personnel, Federal Protective Service and authorized operational personnel through electronic locking devices. 4. Specific key staffs are authorized access to HEC computer room and all other persons gaining access to the computer rooms are escorted. Programmer access to the information systems is restricted only to staff whose official duties require that level of access.

   SAFEGUARDS: 1. Electronic data transmissions between VA health care facilities,

   HEC, and AAC are safeguarded by using VA's secure wide area network.

   The transmission of electronic data between SSA and AAC is safeguarded through the use of a secured, encrypted connection. Back-up of magnetic media containing FTI is transported between AAC and the off-site location in a locked storage container by an off-site vendor. Vendor personnel do not have key access to the locked container. The locked storage container is stored in a safe in a secured room at the off-site storage location. Access to the secured room and the safe is limited to authorized VA IT staff only. 2. The software programs at HEC, AAC, and VA health care facilities automatically flag records or events for transmission via electronic messages based upon functionality requirements. The recipients of the messages are controlled and/or assigned to the mail group based on their role or position. Server jobs at each facility run continuously to check for incoming and outgoing data to be transmitted which needs to be parsed to files on the receiving end. All messages containing data transmissions include header information that is used for validation purposes. Consistency checks in the software are used to validate the transmission, and electronic acknowledgment messages are returned to the sending application. The VA Office of Cyber Security has oversight responsibility for planning and implementing computer security.

   Page 26196

   3. Working spaces and record storage areas at the HEC are secured during all business hours, as well as during non-business hours. All entrance doors require an electronic pass card, issued by the HEC

   Security Officer, for entry when unlocked, and entry doors are locked outside normal business hours. Visitors are required to present identification and sign-in at a specified location. Visitors are issued a pass card which restricts access to non-sensitive areas and are escorted by staff through restricted areas. At the end of the visit, visitors are required to turn in their badge. The building is equipped with an intrusion alarm system which is activated during non-business hours. This alarm system is monitored by a private security service vendor. The office space occupied by employees with access to veteran records is secured with an electronic locking system, which requires a card for entry and exit of that office space. Access to the AAC is generally restricted to AAC staff, VA Headquarters employees, custodial personnel, Federal Protective Service and authorized operational personnel through electronic locking devices. All other persons gaining access to the computer rooms are escorted. 4. A number of other security measures are implemented to enhance security and safeguard of electronic records such as automatic timeout after a short period of inactivity and device locking after a pre-set number of invalid logon attempts, for example. 5. Electronic data, except FTI, is transmitted from HEC and AAC to

   VA health care facilities over the Department's secure wide area network. 6. Employees at the health care facility level do not have access to FTI, nor do they have the ability to edit or view income tests received from HEC as a result of the income match with IRS. 7. Only specific key staff and the Information Security Officer are authorized access to the computer room. Programmer access to AAC and

   HEC databases, which contain FTI, is restricted only to staff whose official duties require that level of access. Contractor staff is not authorized access to the production database. 8. On-line data, including FTI, reside on magnetic media in HEC and

   AAC computer rooms which are highly secured. Backup media are stored in a combination lock safe in a secured room within the same building and access to the safe is restricted to the information technology staff.

   Backup media are stored by an off-site media storage vendor who picks up the media on a weekly basis from HEC and AAC and returns the media to the off-site storage via a locked storage container. Vendor personnel do not have key access to the locked container. 9. Any sensitive information that may be downloaded to a personal computer or printed to hard copy format is provided the same level of security as the electronic records. All paper documents and informal notations containing sensitive data are shredded prior to disposal. All magnetic media (primary computer system) and personal computer disks are degaussed prior to disposal or released off site for repair. 10. HEC and AAC fully comply with the Tax Information Security

   Guidelines for Federal, State and Local Agencies (Department of

   Treasury IRS Publication 1075) as it relates to access and protection of such data. These guidelines define the management of magnetic media, paper and electronic records, and physical and electronic security of the data. 11. All new HEC employees receive initial information security and privacy training and refresher training is provided to all employees on an annual basis. HEC's Information Security Officer performs an annual information security audit. This annual audit includes the primary computer information system, the telecommunication system, and local area networks. Additionally, the IRS performs periodic on-site inspections to ensure the appropriate level of security is maintained for FTI. HEC and AAC's Information Security Officer and AIS administrator additionally perform periodic reviews to ensure security of the system and databases. 12. Identification codes and codes used to access HEC automated communications systems and records systems, as well as security profiles and possible security violations, are maintained on magnetic media in a secure environment at the Center. For contingency purposes, database back-ups on removable magnetic media are stored off-site by a licensed and bonded media storage vendor. 13. VA field facilities do not receive FTI from AAC or HEC. 14. Contractors and subcontractors are required to adhere to HEC's safeguard and security requirements.

   RETENTION AND DISPOSAL:

   Depending on the record medium, records are destroyed by either shredding or degaussing. Paper records are destroyed after they have been accurately scanned on optical disks. Optical disks or other electronic medium are deleted when all phases of the veteran's appeal rights have ended (ten years after the income year for which the means test verification was conducted). Electronic data and magnetic media received at AAC from SSA and IRS are destroyed 30 days after the data have been validated as being a true copy of the original data. Summary reports and other output reports are destroyed when no longer needed for current operation. Records are disposed of in accordance with the records retention standards approved by the Archivist of the United

   States, National Archives and Records Administration, and published in the VHA Records Control Schedule 10-1. Regardless of the record medium, no records will be retired to a Federal records center.

   SYSTEM MANAGER(S) AND ADDRESSES:

   Official responsible for policies and procedures: Chief Business

   Office (16), VA Central Office, 810 Vermont Avenue, NW., Washington, DC 20420. Official maintaining the system: Director, Health Eligibility

   Center, 2957 Clairmont Road, Atlanta, Georgia 30329.

   NOTIFICATION PROCEDURE:

   Any individual who wishes to determine whether a record is being maintained in this system under his or her name or other personal identifier or wants to determine the contents of such record should submit a written request or apply in person to the Health Eligibility

   Center. All inquiries must reasonably identify the records requested.

   Inquiries should include the individual's full name, social security number, and return address.

   RECORD ACCESS PROCEDURES:

   Individuals seeking information regarding access to and contesting of income verification records may write to the Director, Health

   Eligibility Center, 2957 Clairmont Road, Suite 200, Atlanta, Georgia 30329.

   CONTESTING RECORD PROCEDURES:

   (See Record Access procedures above).

   RECORD SOURCE CATEGORIES:

   Information in this systems of records may be provided by the applicant, applicant's spouse or other family members; accredited representatives or friends; employers and other payers of earned income; financial institutions and other payers of unearned income; health insurance carriers; other Federal agencies; the ``Patient

   Medical Records--VA'' (24VA19) and the ``Enrollment and Eligibility

   Records--VA'' (147VA16) systems of records; and Veterans Benefits

   Administration automated record systems (including the ``Veterans and

   Beneficiaries Identification and Records Location

   Page 26197

   Subsystem--VA'' (38VA23) and the ``Compensation, Pension, Education and

   Rehabilitation Records--VA'' (58VA21/22).

   FR Doc. E8-10230 Filed 5-7-08; 8:45 am

   BILLING CODE 8320-01-P