Privacy Act of 1974; System of Records

AGENCY:

Veterans Health Administration (VHA), Department of Veterans Affairs (VA).

ACTION:

Notice of modified system of records.

SUMMARY:

Pursuant to the Privacy Act of 1974, notice is hereby given that the VA is modifying the system of records entitled “Disaster Emergency Medical Personnel System (DEMPS)-VA” (98VA104). This system is used to provide information on sufficient health care medical support personnel to respond to disasters, to provide information to the VHA Office of Emergency Management (OEM) primarily during national, regional, or local emergencies caused by catastrophic events, and to respond to internal emergencies occurring within the Veterans Integrated Service Networks (VISN) requiring support to VHA facilities or National Disaster Frameworks, Emergency Support Function 8 (ESF 8) assistance to Federal, State, local, Territorial, or Tribal (SLTT) partners.

DATES:

Comments on this modified system of records must be received no later than 30 days after date of publication in the Federal Register . If no public comment is received during the period allowed for comment or unless otherwise published in the Federal Register by VA, the modified system of records will become effective a minimum of 30 days after date of publication in the Federal Register . If VA receives public comments, VA shall review the comments to determine whether any changes to the notice are necessary.

ADDRESSES:

Comments may be submitted through www.Regulations.gov or mailed to VA Privacy Service, 810 Vermont Avenue NW, (005R1A), Washington, DC 20420. Comments should indicate that they are submitted in response to “Disaster Emergency Medical Personnel System (DEMPS)-VA” (98VA104). Comments received will be available at regulations.gov for public viewing, inspection or copies.

FOR FURTHER INFORMATION CONTACT:

Stephania Griffin, Veterans Health Administration Chief Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420, stephania.griffin@va.gov, telephone number 704–245–2492 (Note: This is not a toll-free number).

SUPPLEMENTARY INFORMATION:

VA is modifying the system by revising the System Name, System Number, System Location; System Manager; Purpose; Categories of Individuals Covered by the System; Categories of Records in the System; Records Source Categories; Routine Uses of Records Maintained in the System; Policies and Practices for Retention and Disposal of Records; and Physical, Procedural and Administrative Safeguards.

The System Name will be changed from “Disaster Emergency Medical Personnel System (DEMPS)-VA” to “Performance Improvement Management System (PIMS), Deployment Management System (DMS)-VA”.

The System Number will be changed from 98VA104 to 98VA10 to reflect the current VHA organizational routing symbol.

The System Location is being updated to remove verbiage indicating that records are maintained at each of the VA health care facilities. The address locations for VA facilities were listed in VA Appendix I of the biennial publication of the VA systems of record. Information from these records or copies of records may be maintained at the Department of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420; Network Directors' Offices; Emergency Management Strategic Healthcare Group Headquarters, VA Medical Center, Martinsburg, WV 25401; or with the Area Emergency Managers located at VA facilities. This section will now reflect the following: Records are maintained within the DMS/PIMS infrastructure and database. PIMS is a web-based system developed and hosted under contract with the Oak Ridge Associated Universities (ORAU). ORAU's cognizant government contracting office is the U.S. Department of Energy (DOE), Oak Ridge National Laboratory Site Office. PIMS is hosted on a Windows stack (Web and Structured Query Language server); all tiers of the PIMS application stack are hosted in a virtual hosting environment by ORAU in their data center in Oak Ridge, Tennessee.

The System Manager is being updated to replace Director, Emergency Management Strategic Healthcare Group (EMSHG (13C)), with Executive Director, VHA OEM.

The Purpose is being updated to revise verbiage indicating that records are used for the Emergency Management Strategic Healthcare Group primarily in times of national emergencies caused by catastrophic events, and to respond to internal emergencies occurring within the VISNs. This section will now reflect the following: Provide information to VHA OEM primarily in times of national, regional, or local emergencies requiring support to VHA facilities or National Disaster Frameworks, Emergency Support Function 8 (ESF 8) assistance to Federal, SLTT partners.

Categories of Individuals Covered by the System is being updated to remove terrorist attacks, and the employment of nuclear, biological, and chemical weapons of mass destruction. This section will include supporting staff, man-made hazards, and other positions required for hospital and health care operations.

Categories of Records in the System is being updated to remove: Information is provided on a voluntary basis. This section will include supporting staff, and mission assignments from other Federal departments and agencies. Information such as name, professional title, credentialing, home station, professional specialty, job position title.

Records Source Categories is being updated to include: the Light Electronic Action Framework (LEAF) system is used to provide credentialing and privileging of health care providers and personnel.

Policies and Practices for Retention and Disposal of Records is being updated to include VHA Records Control Schedule 10–1, Item Number 1270.1.

The following routine use #4 is being updated to include Clinical Deployment Team, Telehealth Emergency Management, or other VHA personnel.

The following routine use #10 is being removed: Information may be disclosed to a State or local government entity or national certifying body that has the authority to make decisions concerning the issuance, retention or revocation of licenses.

The following routine use is now being replaced as #10: Data Breach Response and Remediation, for Another Federal Agency: To another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

Physical, Procedural and Administrative Safeguards is being updated to include VA Police Service. Number 2 will remove: Access to the Veterans Health Information Systems Technology Architecture (VistA) computer room within the health care facilities is generally limited by appropriate security devices and restricted to authorized VA employees and vendor personnel. Automatic Data Processing (ADP) peripheral devices are generally placed in secure areas (areas that are locked or have limited access) or are otherwise protected. Authorized VA employees may access information in the VistA system. Access to file information is controlled at two levels: The system recognizes authorized employees by a series of individually unique passwords/codes as a part of each data message, and the employees are limited to only that information in the file which is needed in the performance of their official duties. This section will now reflect the following: All tiers of the VHA PIMS application stack are hosted in a highly available, resilient, and redundant virtual hosting environment. The internet connection is provided through the Department of Energy's Energy Science Network (ES.NET), managed by ORAU under a DOE Authority to Operate (ATO). As part of the ATO, VHA PIMS has been built in accordance with applicable Federal Information Security Management Act and National Institute of Standards and Technology (NIST) security and privacy control requirements for Federal information systems with implementation of all baseline security controls commensurate with the Federal Information Processing Standard 199 system security categorization. ORAU handles data in PIMS in accordance with the appropriate NIST classification.

Signing Authority

The Senior Agency Official for Privacy, or designee, approved this document and authorized the undersigned to sign and submit the document to the Office of the Federal Register for publication electronically as an official document of the Department of Veterans Affairs. Kurt D. DelBene, Assistant Secretary for Information and Technology and Chief Information Officer, approved this document on March 18, 2023 for publication.

SYSTEM NAME AND NUMBER:

Performance Improvement Management System (PIMS), Deployment Management System (DMS)-VA (98VA10).

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

Records are maintained within the DMS/PIMS infrastructure and database. PIMS is a web-based system developed and hosted under contract with the Oak Ridge Associated Universities (ORAU). ORAU's cognizant government contracting office is the U.S. Department of Energy (DOE), Oak Ridge National Laboratory Site Office. PIMS is hosted on a Windows stack (Web and Structured Query Language server); all tiers of the PIMS application stack are hosted in a virtual hosting environment by ORAU in their data center in Oak Ridge, Tennessee.

SYSTEM MANAGER(S):

Official responsible for maintaining the system: Executive Director, Veterans Health Administration (VHA) Office of Emergency Management (OEM), VA Medical Center, Martinsburg, West Virginia, 25405. Telephone number 304–264–4827 (Note: This is not a toll-free number).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Authority for maintenance of this system of records is Executive Order 12656 dated November 18, 1988.

PURPOSE(S) OF THE SYSTEM:

The records may be used for such purpose as to provide information on sufficient health care medical and support personnel to respond to disasters, to provide information to VHA OEM primarily in times of national, regional, or local emergencies requiring support to VHA facilities or National Disaster Frameworks, Emergency Support Function 8 (ESF 8) assistance to Federal, State, Local, Territorial, or Tribal (SLTT) partners.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

These records include information on VA employees who make application to VA and are considered for deployment as health care providers and supporting staff, primarily in times of national, regional, or local emergencies in response to domestic disasters resulting from natural, technological, or man-made hazards. These individuals may include audiologists, dentists, dietitians, expanded-function dental auxiliaries, licensed practical vocational nurses, nuclear medicine technologists, nurse anesthetists, nurse practitioners, nurses, occupational therapists, optometrists, clinical pharmacists, licensed physical therapists, physician assistants, physicians, podiatrists, psychologists, registered respiratory therapists, certified respiratory therapy technicians, diagnostic and therapeutic radiology technologists, social workers, speech pathologists, contracting specialists, building maintenance, engineering, housekeeping, other positions required for hospital and health care operations and other personnel associated with emergency management.

CATEGORIES OF RECORDS IN THE SYSTEM:

The records may include information on VA employees who make application to be deployed as health care providers and supporting staff primarily in times of national, regional, or local emergencies. This source document provides personal and demographic information, such as name, professional title, credentialing, home station, professional specialty, job position title, initiated, provided, and authenticated by the employee and contains the necessary approvals and signatures of officials in the supervisory chain for the employee's inclusion in the database. Information related to identifying and selecting by VHA OEM, Veterans Integrated Services Networks (VISN) and VA medical facility personnel eligible to support specific job taskings and assignments during disasters internal to the VHA health care system or external to VHA for which the VA is tasked to provide support under applicable authorities. Requests for issuance of travel orders and necessary reimbursement to VA for subsequent allocation of funds to home stations of deployed personnel are required to cover costs of travel, overtime and other expenses associated with individual deployments. This information is necessary to account for personnel deployed in support of disasters, to identify personnel with specific job skills and experience that may be required to support contingency missions tasked to VA under the VA/Department of Defense Contingency Plan or mission assignments from other Federal departments and agencies, and for the development of plans at the enterprise, network, and medical center level for utilization of VHA personnel in support of disasters internal and external to VA.

RECORD SOURCE CATEGORIES:

The information will be provided by the individual VA employee and the VA medical facility (assigned facility) or other VA location at which the employee is employed. VHA OEM Headquarters will also provide information for updates of deployment status and availability. The Light Electronic Action Framework (LEAF) system is used to provide credentialing and privileging of health care providers and personnel.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

1. Selected information (such as name, station and telephone numbers) may be disclosed to other Federal departments and agencies that have an interest in or obligation to track or otherwise audit transfer of funds to VA for reimbursement of tasks.

2. Statistical information and other data may be disclosed to Federal, SLTT government agencies to assist in disaster planning and after-action reports.

3. Law Enforcement: To a Federal, SLTT or foreign law enforcement authority or other appropriate entity charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing such law, provided that the disclosure is limited to information that, either alone or in conjunction with other information, indicates a violation or potential violation of law, whether civil, criminal or regulatory in nature. The disclosure of the names and addresses of Veterans and their dependents from VA records under this routine use must also comply with the provisions of 38 U.S.C. 5701.

4. Disclosure may be made to any source, such as a police department or the Federal Bureau of Investigation, from which additional information is requested to the extent necessary to identify the individual, inform the source of the purpose(s) of the request, and to identify the type of information requested such as DEMPS, Clinical Deployment Team, Telehealth Emergency Management, or other VHA personnel present at a crime scene caused by terrorists.

5. Disclosure may be made to an agency in the executive, legislative, or judicial branch or the District of Columbia Government in response to its request, or at the initiation of VA, for information in connection with the selection of an employee for the deployment and future training of an individual, the letting of a contract, the issuance of a license, grant or other benefits by the requesting agency, or the lawful statutory, administrative or investigative purpose of the agency to the extent that the information is relevant and necessary to the requesting agency's deployment/Federal Response Framework needs.

6. Congress: To a Member of Congress or staff acting upon the Member's behalf when the Member or staff requests the information on behalf of, and at the request of, the individual who is the subject of the record.

7. National Archives and Records Administration (NARA): To NARA in records management inspections conducted under 44 U.S.C. 2904 and 2906, or other functions authorized by laws and policies governing NARA operations and VA records management responsibilities.

8. State Licensing Boards, for Licensing: To a Federal agency, a state or local government licensing board, the Federation of State Medical Boards or a similar non-governmental entity that maintains records concerning individuals' employment histories or concerning the issuance, retention or revocation of licenses, certifications or registration necessary to practice an occupation, profession or specialty, to inform such non-governmental entities about the health care practices of a terminated, resigned or retired health care employee whose professional health care activity so significantly failed to conform to generally accepted standards of professional medical practice as to raise reasonable concern for the health and safety of patients in the private sector or from another Federal Agency. These records may also be disclosed as part of an ongoing computer matching program to accomplish these purposes.

9. The Joint Commission, for Accreditation: To survey teams of The Joint Commission, College of American Pathologists, American Association of Blood Banks, and similar national accreditation agencies or boards with which VA has a contract or agreement to conduct such reviews, as relevant and necessary for the purpose of program review or the seeking of accreditation or certification.

10. Data Breach Response and Remediation, for Another Federal Agency: To another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government or national security, resulting from a suspected or confirmed breach.

11. Department of Justice (DoJ), Litigation, Administrative Proceeding: To DoJ, or in a proceeding before a court, adjudicative body or other administrative body before which VA is authorized to appear, when:

(a) VA or any component thereof;

(b) Any VA employee in their official capacity;

(c) Any VA employee in their individual capacity where DoJ has agreed to represent the employee; or

(d) The United States, where VA determines that litigation is likely to affect the agency or any of its components, is a party to such proceedings or has an interest in such proceedings, and VA determines that use of such records is relevant and necessary to the proceedings.

12. Information on deployment to Federal/VHA emergencies, performance, or other personnel-related material may be disclosed to any facility with which there is, or there is proposed to be, an affiliation, sharing agreement, contract or similar arrangement, for purposes of establishing, maintaining or expanding any such relationship.

13. Information concerning a health care provider's professional qualifications and clinical privileges may be disclosed to a VA/emergency disaster-served client patient, or the representative or guardian of a patient who, due to physical or mental incapacity, lacks sufficient understanding or legal capacity to make decisions concerning his or her medical care, who is receiving or contemplating receiving medical or other patient care services from the provider when the information is needed by the patient or the patient's representative or guardian in order to make a decision related to the initiation of treatment, continuation or discontinuation of treatment, or receiving a specific treatment that is proposed or planned by the provider. Disclosure will be limited to information concerning the health care provider's professional qualifications (professional education, training and current licensure/certification status), professional employment history and current clinical privileges.

14. Unions: To officials of labor organizations recognized under 5 U.S.C. chapter 71(b)(4) when relevant and necessary to their duties of exclusive representation concerning personnel policies, practices and matters affecting working conditions.

15. Information may be disclosed to the VA-appointed representative of an employee of all notices, determinations, decisions or other written communications issued to the employee in connection with an examination ordered by VA under medical evaluation (formerly fitness-for-duty) examination procedures or Department-filed disability retirement procedures.

16. Merit Systems Protection Board (MSPB): To the MSPB and the Office of the Special Counsel in connection with appeals, special studies of the civil service and other merit systems, review of rules and regulations, investigation of alleged or possible prohibited personnel practices and such other functions promulgated in 5 U.S.C. 1205 and 1206, or as authorized by law.

17. Equal Employment Opportunity Commission (EEOC): To the EEOC in connection with investigations of alleged or possible discriminatory practices, examination of Federal affirmative employment programs or other functions of the Commission as authorized by law.

18. Federal Labor Relations Authority (FLRA): To the FLRA in connection with: The investigation and resolution of allegations of unfair labor practices, the resolution of exceptions to arbitration awards when a question of material fact is raised; matters before the Federal Service Impasses Panel; and the investigation of representation petitions and the conduct or supervision of representation elections.

19. Contractors: To contractors, grantees, experts, consultants, students and others performing or working on a contract, service, grant, cooperative agreement or other assignment for VA, when reasonably necessary to accomplish an agency function related to the records.

20. Federal Agencies, Fraud and Abuse: To other Federal agencies to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.

21. Data Breach Response and Remediation, for VA: To appropriate agencies, entities and persons when (1) VA suspects or has confirmed that there has been a breach of the system of records; (2) VA has determined that as a result of the suspected or confirmed breach there is a risk to individuals, VA (including its information systems, programs and operations), the Federal Government or national security; and (3) the disclosure made to such agencies, entities or persons reasonably necessary to assist in connection with VA efforts to respond to the suspected or confirmed breach or to prevent, minimize or remedy such harm.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Automated records are maintained at all levels of management outlined in system location. Automated information is stored in this database.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records in this system are retrieved by the name, professional title, VISN, home station, professional specialty, job position title, etc., of the individuals on whom they are maintained.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

An automated database of deployable personnel will be maintained by VHA OEM. If an individual transfers to another VA facility location, the individual's data will be reassigned within the system to the new location. Records in this system are retained and disposed of in accordance with the schedule approved by the Archivist of the United States, VHA Records Control Schedule 10–1, Item Number 1270.1.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

1. Access to VA working and storage areas in VA health care facilities are restricted to VA employees on a need-to-know basis; strict control measures are enforced to ensure that disclosure to these individuals is also based on this same principle. Generally, VA file areas are locked after normal duty hours, and the health care facilities are protected from outside access by the VA Police Service, Federal Protective Service or other security personnel.

2. All tiers of the VHA PIMS application stack are hosted in a highly available, resilient and redundant virtual hosting environment. The internet connection is provided through the Department of Energy's Energy Science Network (ES.NET), managed by ORAU under a DOE Authority to Operate (ATO). As part of the ATO, VHA PIMS has been built in accordance with applicable Federal Information Security Management Act and National Institute of Standards and Technology (NIST) security and privacy control requirements for Federal information systems with implementation of all baseline security controls commensurate with the Federal Information Processing Standard 199 system security categorization. ORAU handles data in PIMS in accordance with the appropriate NIST classification.

RECORD ACCESS PROCEDURES:

Individuals seeking information on the existence and content of records in this system pertaining to them should contact the system manager in writing as indicated above, or the individuals may write, call or visit the VA facility location where they made application for employment or are (or were) employed. A request for access to records must contain the requester's full name, address, telephone number, be signed by the requester, and describe the records sought in sufficient detail to enable VA personnel to locate them with a reasonable amount of effort.

CONTESTING RECORD PROCEDURES:

Individuals seeking to contest or amend records in this system pertaining to them should contact the system manager in writing as indicated above. A request to contest or amend records must state clearly and concisely what record is being contested, the reasons for contesting it, and the proposed amendment to the record.

NOTIFICATION PROCEDURES:

Generalized notice is provided by the publication of this notice. For specific notice, see Record Access Procedure, above.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

65 FR 25531 (May 2, 2000); 75 FR 4458 (January 27, 2010).