Privacy Act of 1974; System of Records

AGENCY:

Department of Veterans Affairs (VA), Veterans Health Administration (VHA).

ACTION:

Notice of a modified system of records.

SUMMARY:

As required by the Privacy Act of 1974, notice is hereby given that the Department of Veterans Affairs (VA) is amending the system of records entitled, “Veteran, Patient, Employee, and Volunteer Research and Development Project Records—VA” (34VA12) as set forth in the Federal Register. VA is amending the system of records by revising the System Number; System Manager; Purpose of the System; Categories of Individuals Covered by the System; Categories of Records in the System; Record Source Categories; Routine Uses of Records Maintained in the System; Policies and Practices for Storage of Records; Policies and Practices for Retention and Disposal of Records; Physical, Procedural and Administrative Safeguards; Record Access Procedure; and Notification Procedure. VA is republishing the system notice in its entirety.

DATES:

Comments on this amended system of records must be received no later than July 23, 2021. If no public comment is received during the period allowed for comment or unless otherwise published in the Federal Register by the VA, the modified system of records will become effective a minimum of 30 days after date of publication in the Federal Register. If VA receives public comments, VA shall review the comments to determine whether any changes to the notice are necessary.

ADDRESSES:

Comments may be submitted through www.Regulations.gov or mailed to VA Privacy Service, 810 Vermont Avenue NW, (005R1A), Washington, DC 20420. Comments should indicate that they are submitted in response to “Veteran, Patient, Employee, and Volunteer Research and Development Project Records—VA” (34VA12). Comments received will be available at regulations.gov for public viewing, inspection or copies.

FOR FURTHER INFORMATION CONTACT:

Stephania Griffin, Veterans Health Administration (VHA) Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420; telephone (704) 245-2492 (Note: not a toll-free number).

SUPPLEMENTARY INFORMATION:

The System Number is being updated from 34VA12 to 34VA10 to reflect the current VHA organizational routing symbol.

The System Manager and Notification Procedure are being updated to replace, “Director of Operations Research and Development (12)” with Director of Office of Research Protections, Policy and Education, Office of Research and Development, Telephone number (202) 443-5681 (Note: this is not a toll-free number).

The Purpose is being amended to include that records may also be used for data analysis in order to answer a specific question and obtain generalizable knowledge and increased understanding of a topic or issue.

Categories of Individuals Covered by the System is being amended to include volunteers as a caregiver, non-patient/non-Veterans, and VA research subjects.

Categories of Records in the System is being amended to remove research support related to the invention. This section will include item 13) a contracted research review system. This section will also include other research information management system reports contain compliance information involving research projects conduct, support and oversight.

The Record Source Categories is being amended to include Information technology (IT) systems or databases and non-subjects.

The Routine Uses of Records Maintained in the System is being amended to remove scrambled Social Security number in Routine uses #2 and #5.

The language in Routine Use #14 is being updated. It previously stated that disclosure of the records to the Department of Justice (DoJ) is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. This routine use will now state that VA may disclose information to the Department of Justice (DoJ), or in a proceeding before a court, adjudicative body, or other administrative body before which VA is authorized to appear, when:

(a) VA or any component thereof;

(b) Any VA employee in his or her official capacity;

(c) Any VA employee in his or her official capacity where DoJ has agreed to represent the employee; or

(d) The United States, where VA determines that litigation is likely to affect the agency or any of its components,

is a party to such proceedings or has an interest in such proceedings, and VA determines that use of such records is relevant and necessary to the proceedings, provided, however, that in each case VA determines the disclosure is compatible with the purpose for which the records were collected. If the disclosure is in response to a subpoena, summons, investigative demand, or similar legal process, the request must meet the requirements for a qualifying law enforcement request under the Privacy Act, 5 U.S.C. 552a(b)(7), or an order from a court of competent jurisdiction under 552a(b)(11).

Routine Use #18 has been updated by clarifying the language to state, “VA may disclose any information or records to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that there has been a breach of the system of records; (2) VA has determined that as a result of the suspected or confirmed breach there is a risk to individuals, VA (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, or persons is reasonably necessary to assist in connection with VA efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.”

Routine use #20 is being added to state, “VA may disclose information from this system of records to another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.”

Policies and Practices for Storage of Records is being updated to include (6) Web based cloud storage systems and (7) Recordings (audio and video).

Policies and Practices for Retention and Disposal of Records is being updated to remove “records contained in this system have not been categorized in a record control schedule (RCS), will be kept indefinitely until such time as they are. The records may not be destroyed until VA obtains an approved records disposition authority from the Archivist of the United States.” This section is updated to state that Records are scheduled in accordance with RCS 10-1, 8300.6, temporary disposition; cutoff at the end of the fiscal year after completion of the research project. Destroy six (6) years after cutoff. May retain longer if required by other Federal regulations or the European General Data Protection regulations.

The Physical, Procedural and Administrative Safeguards section is being updated to state that access to automated information systems are protected by an approved form of two factor authentication and communications are encrypted at rest and in transit.

The Record Access Procedure is being amended to include research project submissions or participation in research projects may visit the VA location where the records were initially generated.

The Report of Intent to Amend a System of Records Notice and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of the Office of Management and Budget (OMB) as required by the Privacy Act and guidelines issued by OMB, December 12, 2000.

Signing Authority

The Senior Agency Official for Privacy, or designee, approved this document and authorized the undersigned to sign and submit the document to the Office of the Federal Register for publication electronically as an official document of the Department of Veterans Affairs. Dominic A. Cussatt, Acting Assistant Secretary of Information and Technology and Chief Information Officer, approved this document on May 14, 2021 for publication.

SYSTEM NAME AND NUMBER:

Veteran, Patient, Employee, and Volunteer Research and Development Project Records—VA (34VA10).

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

Records are maintained at each VA health care facility where the research project was conducted, at VA facilities where research administration or oversight activities occur, and at VA Central Office (VACO). Address locations are listed in VA Appendix 1 of the biennial Privacy Act Issuance publication. In addition, records are maintained at contractor and fieldwork sites as studies are developed, data collected, and reports written. A list of locations where individually identifiable data is currently located is available from the System Manager.

SYSTEM MANAGER(S):

Dr. Molly Klote, Director of Office of Research Protections, Policy and Education, Office of Research and Development, Department of Veterans Affairs, 810 Vermont Ave. NW, Washington, DC 20420. Telephone number (202) 443-5681 (Note: this is not a toll-free number).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Title 38, United States Code, Section 7301.

PURPOSE(S) OF THE SYSTEM:

The records and information may be used to determine eligibility for research funding, to determine handling of intellectual properties, to manage proposed and/or approved research endeavors, and to evaluate the research and development program. The records may also be used for data analysis in order to answer a specific question and obtain generalizable knowledge and increased understanding of a topic or issue.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The following categories of individuals will be covered by this system: (1) Veterans; (2) patients; (3) employees; (4) volunteers (e.g., caregivers, non-patient/non-Veterans, VA research subjects) in research projects being performed by VA, by a VA contractor or by another Federal agency in conjunction with VA; (5) members of research committee or subcommittees; and (6) research and development investigators and research and development employees.

CATEGORIES OF RECORDS IN THE SYSTEM:

Records, or information contained in records, vary according to the specific research involved or research related activity involved and may include: (1) Research on biomedical, prosthetic and health care services; (2) research stressing spinal cord injuries and diseases and other disabilities that tend to result in paralysis of the lower extremities; and (3) morbidity and mortality studies on former prisoners of war; (4) research related to injuries sustained while on active duty military service such as traumatic amputations, traumatic brain injury, and burns; (5) electronic or other databases containing research information developed during a research project(s) or for future research; (6) research information management systems such as the Research and Development Information System (RDIS); (7) copies of medical records of research participants; (8) merit review of the research projects; (9) review and evaluation of proposed research; (10) continuing review and oversight of ongoing research; (11) evaluations performed by research committees; (12) a review and evaluation of the research and development investigators and of the participants in the program; and (13) a contracted research review system. The review and evaluation information concerning the research and development investigators may include personal and educational background information as well as specific information concerning the type of research conducted. Invention records contain: A certification page, describing the place, time, research support related to the invention and co-inventors; Technology Transfer Program Invention Evaluation Sheet Internal or External Invention Assessment reports; Research and Development Information System (RDIS) reports or other research information management system reports contain compliance information involving research projects conduct, support and oversight; Correspondence; and the Office of General Counsel Letter of Determination.

RECORD SOURCE CATEGORIES:

(1) Patients and patient records, (2) employees and volunteers, (3) other Federal agencies, (4) National Institutes of Health, (5) Centers for Disease Control (Atlanta, Georgia), (6) individual Veterans, (7) other VA systems of records and IT systems or databases, (8) research and development investigators, (9) research and development databases, and (10) non-subjects.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

To the extent that records contained in the system include information protected by 45 CFR parts 160 and 164, i.e., individually-identifiable health information, and 38 U.S.C. 7332; i.e., medical treatment information related to drug abuse, alcoholism or alcohol abuse, sickle cell anemia or infection with the human immunodeficiency virus, that information cannot be disclosed under a routine use unless there is also specific statutory authority in 38 U.S.C. 7332 and regulatory authority in 45 CFR parts 160 and 164 permitting disclosure.

1. Transfer of statistical and other data to Federal, State, and local government agencies and national health organizations to assist in the development of programs.

2. VA may disclose any information in this system, except the names, home addresses, and Social Security number of Veterans and their dependents, which is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal or regulatory in nature and whether arising by general or program statute or by regulation, rule or order issued pursuant thereto, to a Federal, State, local, tribal, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule or order. VA may also disclose the names and Social Security number addresses of Veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto unless a Certificate of Confidentiality has been issued for the research by the National Institutes of Health under section 301(d) of the Public Health Service Act (42 U.S.C. 241(d)).

3. VA may disclose information to a Member of Congress or staff acting upon the Member's behalf when the Member or staff requests the information on behalf of, and at the request of, the individual who is the subject of the record.

4. VA may disclose information to National Archives and Records Administration (NARA) in records management inspections conducted under 44 U.S.C. 2904 and 2906, or other functions authorized by laws and policies governing NARA operations and VA records management responsibilities.

5. VA may disclose information from this system to epidemiological and other research facilities approved by the Under Secretary for Health for research purposes determined to be necessary and proper, provided that the names and addresses of Veterans and their dependents will not be disclosed unless those names and addresses are first provided to VA by the facilities making the request.

6. VA may disclose the names and address (of present or former members of the armed services or their beneficiaries: (1) To a nonprofit organization if the release is directly connected with the conduct of programs and the utilization of benefits under Title 38, and (2) to any criminal or civil law enforcement governmental agency or instrumentality charged under applicable law with the protection of the public health or safety, if a qualified representative of such organization, agency, or instrumentality has made a written request that such names or addresses be provided for a purpose authorized by law; provided that the records will not be used for any purpose other than that stated in the request and that organization, agency, or instrumentality is aware of the penalty provision of 38 U.S.C. 5701(f).

7. In order to conduct VA research, names, addresses, and Social Security numbers may be disclosed to other Federal and state agencies for the purpose of the Federal or state agency disclosing information on the individuals back to VA.

8. Upon request for research project data from VA approved research, the following information will be released to the general public, including governmental and non-governmental agencies and commercial organizations: Project title and number; name and educational degree of principal investigator unless the release of this information would place the investigator at risk (physical, professional, etc.); VHA medical center location; type (initial, progress, or final) and date of last report; name and educational degree of associate investigators unless the release of this information would place the investigator at risk (physical, professional, etc.); project abstract if the project is ongoing, and project summary if the project has been completed. In addition, upon specific request, keywords and indexing codes will be included for each project.

9. Upon request for information regarding VA employees conducting research, the following information will be released to the general public, including governmental agencies and commercial organizations: Name and educational degree of investigator; VHA title; academic affiliation and title; hospital service; primary and secondary specialty areas and subspecialty unless the release of this information would place the investigator at risk (physical, professional, etc.)

10. VA may disclose information to a Federal agency, a state or local government licensing board, the Federation of State Medical Boards, or a similar non-governmental entity that maintains records concerning individuals' employment histories or concerning the issuance, retention, or revocation of licenses, certifications, or registration necessary to practice an occupation, profession, or specialty, to inform such non-governmental entities about the health care practices of a terminated, resigned, or retired health care employee whose professional health care activity so significantly failed to conform to generally accepted standards of professional medical practice as to raise reasonable concern for the health and safety of patients in the private sector or from another Federal Agency. These records may also be disclosed as part of an ongoing computer matching program to accomplish these purposes.

11. VA may disclose information to the National Practitioner Data Bank at the time of hiring or clinical privileging/re-privileging of health care practitioners, and other times as deemed necessary by VA, in order for VA to obtain information relevant to a Department decision concerning the hiring, privileging/re-privileging, retention, or termination of the applicant or employee.

12. VA may disclose information to the National Practitioner Data Bank or a State Licensing Board in the state in which a practitioner is licensed, in which the VA facility is located, or in which an act or omission occurred upon which a medical malpractice claim was based when VA reports information concerning: (1) Any payment for the benefit of a physician, dentist, or other licensed health care practitioner that was made as the result of a settlement or judgment of a claim of medical malpractice, if an appropriate determination is made in accordance with Department policy that payment was related to substandard care, professional incompetence, or professional misconduct on the part of the individual; (2) a final decision that relates to possible incompetence or improper professional conduct that adversely affects the clinical privileges of a physician or dentist for a period longer than 30 days; or (3) the acceptance of the surrender of clinical privileges or any restriction of such privileges by a physician or dentist, either while under investigation by the health care entity relating to possible incompetence or improper professional conduct, or in return for not conducting such an investigation or proceeding. These records may also be disclosed as part of a computer matching program to accomplish these purposes.

13. Information concerning individuals who have submitted research program proposals for funding, including the investigator's name, Social Security number, research qualifications and the investigator's research proposal, may be disclosed to qualified reviewers for their opinion and evaluation of the applicants and their proposals as part of the application review process.

14. VA may disclose information to the Department of Justice (DoJ), or in a proceeding before a court, adjudicative body, or other administrative body before which VA is authorized to appear, when:

(e) VA or any component thereof;

(f) Any VA employee in his or her official capacity;

(g) Any VA employee in his or her official capacity where DoJ has agreed to represent the employee; or

(h) The United States, where VA determines that litigation is likely to affect the agency or any of its components,

is a party to such proceedings or has an interest in such proceedings, and VA determines that use of such records is relevant and necessary to the proceedings, provided, however, that in each case VA determines the disclosure is compatible with the purpose for which the records were collected. If the disclosure is in response to a subpoena, summons, investigative demand, or similar legal process, the request must meet the requirements for a qualifying law enforcement request under the Privacy Act, 5 U.S.C. 552a(b)(7), or an order from a court of competent jurisdiction under 552a(b)(11).

15. Any invention information in this system may be disclosed to affiliated intellectual property partners to aid in the possible use, interest in, or ownership rights in VA intellectual property.

16. VA may disclose information concerning merit review of proposals submitted by an individual to the individual except that information concerning a third party, such as the name or other identifying information about the qualified reviewer of the proposal.

17. VA may disclose to other Federal agencies to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.

18. VA may disclose any information or records to appropriate agencies, entities, and persons when: (1) VA suspects or has confirmed that there has been a breach of the system of records; (2) VA has determined that as a result of the suspected or confirmed breach there is a risk to individuals, VA (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, or persons is reasonably necessary to assist in connection with VA efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

19. VA may disclose information to contractors, grantees, experts, consultants, students, and others performing or working on a contract, service, grant, cooperative agreement, or other assignment for VA, when reasonably necessary to accomplish an agency function related to the records.

20. VA may disclose information from this system to another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

DISCLOSUE TO CONSUMER REPORTING AGENCIES:

Reports of all transactions dealing with data will be used within VA and will not be provided to any consumer-reporting agency.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

(1) Paper documents, (2) microscope slides, (3) magnetic tape or disk or other electronic media, (4) photographs, (5) microfilm, (6) web based cloud storage systems, and (7) recordings (audio and video).

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records are retrieved by individual identifiers and indexed by a specific project site or location, project number, or under the name of the research or development investigator.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Records are scheduled in accordance with RCS 10-1, 8300.6, temporary disposition; cutoff at the end of the fiscal year after completion of the research project. Destroy six (6) years after cutoff. May retain longer if required by other Federal regulations or the European General Data Protection regulations. (DAA-0015-2015-0004, item 0032)

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

This list of safeguards furnished in this System of Record is not an exclusive list of measures that has been, or will be, taken to protect individually identifiable information. VHA will maintain the data in compliance with applicable VA security policy directives that specify the standards that will be applied to protect sensitive personal information. Physical Security: Access to VA working space and medical record storage areas is restricted to VA employees on a “need to know” basis.

Generally, VA file areas are locked after normal duty hours and protected from outside access by the Federal Protective Service. Employee file records and file records of public figures or otherwise sensitive medical record files are stored in separate locked files. Access to automated information systems are protected by an approved form of two factor authentication and communications are encrypted at rest and in transit. Strict control measures are enforced to ensure that disclosure is limited to a “need to know” basis.

Access to a contractor's records and their system of computers used with the particular project are available to authorized personnel only. Records on investigators stored on automated storage media are accessible by authorized VA personnel via VA computers or computer systems. They are required to take annual VA mandatory data privacy and security training. Security complies with applicable Federal Information Processing Standards (FIPS) issued by the National Institute of Standards and Technology (NIST). Contractors and their subcontractors who access the data are required to maintain the same level of security as VA staff.

RECORD ACCESS PROCEDURE:

Individuals seeking information regarding access to and contesting of records in this system related to research project submissions or participation in research projects may write, call or visit the VA location where the records were initially generated.

CONTESTING RECORD PROCEDURES:

(See Record Access Procedures above.)

NOTIFICATION PROCEDURE:

Interested persons should write to: Director of Office of Research Protections, Policy and Education, Office of Research and Development, Department of Veterans Affairs, 810 Vermont Ave. NW, Washington, DC 20420. All inquiries must reasonably identify the project and site location; date of project and team leader.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

Last full publication provided in 75 FR 29818.