Privacy Act of 1974; System of Records

AGENCY:

Department of Veterans Affairs (VA), Veterans Health Administration (VHA).

ACTION:

Notice of a modified system of records.

SUMMARY:

Pursuant to the Privacy Act of 1974, notice is hereby given that the VA is modifying the system of records entitled, “Customer Relationship Management System (CRMS)-VA” (155VA10NB). This system is used for historical reference, quality assurance, training, and statistical reporting.

DATES:

Comments on this modified system of records must be received no later than 30 days after date of publication in the Federal Register . If no public comment is received during the period allowed for comment or unless otherwise published in the Federal Register by the VA, the modified system of records will become effective a minimum of 30 days after date of publication in the Federal Register . If VA receives public comments, VA shall review the comments to determine whether any changes to the notice are necessary.

ADDRESSES:

Comments may be submitted through www.Regulations.gov or mailed to VA Privacy Service, 810 Vermont Avenue NW, (005X6F), Washington, DC 20420. Comments should indicate that they are submitted in response to “Customer Relationship Management System (CRMS)-VA” (155VA10NB). Comments received will be available at regulations.gov for public viewing, inspection or copies.

FOR FURTHER INFORMATION CONTACT:

Stephania Griffin, Veterans Health Administration (VHA) Chief Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420; telephone 704–245–2492 ( Note: this is not a toll-free number) or Stephania.griffin@va.gov.

SUPPLEMENTARY INFORMATION:

VA is amending the system of records by revising the System Number; System Location; System Manager; Purpose of the System; Categories of Records in the System; Records Source Categories; Routine Uses of Records Maintained in the System; Policies and Practices for Retention and Disposal of Records; and Administrative Technical and Physical Safeguards. VA is republishing the system notice in its entirety.

The System Number is being updated from 155VA10NB to 155VA10 to reflect the current VHA organizational routing symbol.

The System Location and the Administrative, Technical and Physical Safeguards sections are being updated to replace Health Resource Center with VHA Member Services. The System Location will also be updated to include, “Information from these records or copies of these records may be maintained at VA Enterprise Cloud Data Centers/Amazon Web Services, 1915 Terry Avenue, Seattle, WA 98101.”

The System Manager is updated to replace Chief Business Officer (10NB), with Deputy Under Secretary for Health and Operations, VHA Member Services. Also, Director, Health Resource Center is replaced with Director, VHA Member Services.

The Purpose of the System is being modified to include, “tracking and managing inbound and outbound customer contacts across channels ( e.g., telephone, email, mail, chat), and maintaining customer support history. These records are used by Member Services Call Center agents to provide customer support to Veterans and their family members by allowing agents to resolve inbound calls and achieve first-call resolution as well as provide an efficient desktop, workflow, contact history and knowledge management capabilities. These records are also used to answer Veteran questions about VA and their care and enhance VA's ability to provide timely, valid responses to Veteran inquiries about benefits, eligibility and other matters.”

The Categories of Records in the System is being updated to include name and Social Security Number.

The Record Source Categories is being modified to include, “VA information systems, including but not limited to, Health Data Repository, Veterans Experience Integration Solution, VA Profile, Consolidated Copayment Processing Center System, and Master Person Index.”

Routine Use number 8 is being removed, which states, “Disclosure may be made to those officers and employees of the agency that maintains the record who have a need for the record in the performance of their duties.” Routine use number 8 will now be replaced with a new routine use to state, “To another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.”

Policies and Practices for Storage of Records is being updated to remove the VA Office of Information Technology (OIT) approved location.

Policies and Practices for Retention and Disposal of Records is being updated to remove, “Electronic Service Records are purged when they are no longer needed for current operation.” This section is updated to state, “CRMS records will be maintained and disposed of in accordance with the schedule approved by the Archivist of the United States, Records Control Schedule (RCS) 10–1, 1925.1, Destroy 1 year after resolved, or when no longer needed for business use, whichever is appropriate.”

Administrative, Technical and Physical Safeguards is being updated to include number 6, “VA Enterprise Cloud data storage conforms to security protocols as stipulated in VA Directives 6500 and 6517. Access control standards are stipulated in specific agreements with cloud vendors to restrict and monitor access.”

The Report of Intent to Amend a System of Records Notice and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of the Office of Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

Signing Authority

The Senior Agency Official for Privacy, or designee, approved this document and authorized the undersigned to sign and submit the document to the Office of the Federal Register for publication electronically as an official document of the Department of Veterans Affairs. Kurt D. DelBene, Assistant Secretary for Information and Technology and Chief Information Officer, approved this document on August 7, 2023 for publication.

SYSTEM NAME:

“Customer Relationship Management System (CRMS)-VA” (155VA10).

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

Records and magnetic media are maintained at the Veterans Health Administration (VHA) Member Services, Topeka, Kansas facility or at another Office of Information Technology (OIT) approved location. Magnetic media are also stored at an OIT approved location for contingency back-up purposes. In addition, information from these records or copies of these records may be maintained at the Department of Veterans Affairs (VA) Enterprise Cloud Data Centers/Amazon Web Services, 1915 Terry Avenue, Seattle, WA 98101.

SYSTEM MANAGER(S):

Official responsible for policies and procedures: Deputy Under Secretary for Health and Operations, VHA Member Services, VA Central Office, 810 Vermont Avenue NW, Washington, DC 20420. Telephone number 202–461–4239 (this is not a toll-free number). Official maintaining the system: Director, VHA Member Services, 3401 SW 21st Street Bldg. 9, Topeka, Kansas 66604.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

38 U.S.C. 501(a), 1705, 1710, 1722, 1722(a), 1781 and 5 U.S.C. 552(a).

PURPOSE(S) OF THE SYSTEM:

The purpose of these records is used for historical reference, quality assurance, training, statistical reporting, tracking and managing inbound and outbound customer contacts across channels ( e.g., telephone, email, mail, chat), and maintaining customer support history. These records are used by Member Services Call Center agents to provide customer support to Veterans and their family members by allowing agents to resolve inbound calls and achieve first-call resolution as well as provide an efficient desktop, workflow, contact history and knowledge management capabilities. These records are also used to answer Veteran questions about VA and their care and enhance VA's ability to provide timely, valid responses to Veteran inquiries about benefits, eligibility and other matters.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

These records include information on Veterans, Veteran's family members, members of the general public, VA customers, and VA employees.

CATEGORIES OF RECORDS IN THE SYSTEM:

The records include name, Social Security Number, address, date of birth, military identification number and other unique identifiers from individuals contacting VHA concerning: 1. Veteran health benefits eligibility and health care appointment request; 2. Veteran medical claims processing and payments; 3. Co-payments charged for medical care and prescriptions; 4. General administrative pharmacy inquiries; 5. General human resources management, ( e.g., employee benefits, recruitment/job applicants, etc.); and 6. Other information related to Veterans, Veteran's family members, members of the general public, VA customers, and VA employees.

RECORD SOURCE CATEGORIES:

Information in this system of records may be provided by Veterans, Veteran's family members, members of the general public, VA customers, VA employees, and VA information systems, including but not limited to, Health Data Repository, Veterans Experience Integration Solution, VA Profile, Consolidated Copayment Processing Center System, and Master Person Index.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

To the extent that records contained in the system include information protected by 45 CFR parts 160 and 164, i.e., individually identifiable health information of VHA or any of its business associates, and 38 U.S.C. 7332; i.e., medical treatment information related to drug abuse, alcoholism or alcohol abuse, sickle cell anemia, or infection with the human immunodeficiency virus, that information cannot be disclosed under a routine use unless there is also specific statutory authority in both 38 U.S.C. 7332 and CFR parts 160 and 164 permitting disclosure.

1. Congress: To a Member of Congress or staff acting upon the Member's behalf when the Member or staff requests the information on behalf of, and at the request of, the individual who is the subject of the record.

2. National Archives and Records Administration (NARA): To the NARA in records management inspections conducted under 44 U.S.C. 2904 and 2906, or other functions authorized by laws and policies governing NARA operations and VA records management responsibilities.

3. Department of Justice (DoJ), Litigation, Administrative Proceeding: To the DoJ, or in a proceeding before a court, adjudicative body, or other administrative body before which VA is authorized to appear, when:

(a) VA or any component thereof;

(b) Any VA employee in his or her official capacity;

(c) Any VA employee in his or her official capacity where DoJ has agreed to represent the employee; or

(d) The United States, where VA determines that litigation is likely to affect the agency or any of its components, is a party to such proceedings or has an interest in such proceedings, and VA determines that use of such records is relevant and necessary to the proceedings.

4. Contractors: To contractors, grantees, experts, consultants, students and others performing or working on a contract, service, grant, cooperative agreement, or other assignment for VA, when reasonably necessary to accomplish an agency function related to the records.

5. Law Enforcement: To a Federal, state, local, territorial, tribal or foreign law enforcement authority or other appropriate entity charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing such law, provided that the disclosure is limited to information that, either alone or in conjunction with other information, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature. The disclosure of the names and addresses of Veterans and their dependents from VA records under this routine use must also comply with the provisions of 38 U.S.C. 5701.

6. Federal Agencies, Fraud and Abuse: To other Federal agencies to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.

7. Data Breach Response and Remediation, for VA: To appropriate agencies, entities and persons when (1) VA suspects or has confirmed that there has been a breach of the system of records; (2) VA has determined that as a result of the suspected or confirmed breach there is a risk to individuals, VA (including its information systems, programs and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities or persons is reasonably necessary to assist in connection with VA efforts to respond to the suspected or confirmed breach or to prevent, minimize or remedy such harm.

8. Data Breach Response and Remediation, for Another Federal Agency: To another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

9. Unions: To unions identified in 5 U.S.C. 7114(b)(4) to officials of labor organizations recognized under 5 U.S.C. Chapter 71 when relevant and necessary to their duties of exclusive representation concerning personnel policies, practices and matters affecting working conditions.

10. Merit Systems Protection Board (MSPB): To the MSPB in connection with appeals, special studies of the civil service and other merit systems, review of rules and regulations, investigation of alleged or possible prohibited personnel practices, and such other functions promulgated in 5 U.S.C. 1205 and 1206, or as otherwise authorized by law.

11. Equal Employment Opportunity Commission (EEOC): To the EEOC in connection with investigations of alleged or possible discriminatory practices, examination of Federal affirmative employment programs, or other functions of the Commission as authorized by law.

12. Federal Labor Relations Authority (FLRA): To the FLRA in connection with the investigation and resolution of allegations of unfair labor practices, the resolution of exceptions to arbitration awards when a question of material fact is raised; matters before the Federal Service Impasses Panel; and the investigation of representation petitions and the conduct or supervision of representation elections.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Records are stored on electronic media.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records in this system are retrieved by name, Social Security Number or other assigned identifiers of the individuals on whom they are maintained.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

CRMS records will be maintained and disposed of in accordance with the schedule approved by the Archivist of the United States, Records Control Schedule (RCS) 10–1, 1925.1, Destroy one year after resolved, or when no longer needed for business use, whichever is appropriate.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

1. All entrance doors to the VHA Member Services Topeka, KS and Waco, TX locations require an electronic pass card to gain entry. Hours of entry to the facility are controlled based on position held and special needs. Visitors to the VHA Member Services are required to sign-in at a specified location and are escorted the entire time they are in the building or they are issued a temporary visitors badge. At the end of the visit, visitors are required to turn in their badge. The building is equipped with an intrusion alarm system which is activated when any of the doors are forced open or held ajar for a specified length of time. During business hours, the security system is monitored by the VA police and Member Services staff. After business hours, the security system is monitored by the VA telephone operator(s) and VA police. The VA police conduct visual security checks of the outside perimeter of the building.

2. Access to the building is generally restricted to Member Services staff and VA police, specified custodial personnel, engineering personnel, and canteen service personnel.

3. Access to computer rooms is restricted to authorized VA OIT personnel and requires entry of a personal identification number (PIN) with the pass card swipe. PINs must be changed periodically. All other persons gaining access to computer rooms are escorted. Information stored in the computer may be accessed by authorized VA employees at remote locations including the Health Eligibility Center in Atlanta, GA; Health Administration Center in Denver, CO; Consolidated Patient Accounting Center in Ashville, NC; and VA health care facilities.

4. All Member Services employees receive information security and privacy awareness training and sign the Rules of Behavior; training is provided to all employees on an annual basis. The Member Services Information System Security Officer performs an annual information security audit and periodic reviews to ensure the security of the system.

5. For contingency purposes, database backups on magnetic media are stored off-site at an approved VA OIT location.

6. VA Enterprise Cloud data storage conforms to security protocols as stipulated in VA Directives 6500 and 6517. Access control standards are stipulated in specific agreements with cloud vendors to restrict and monitor access.

RECORD ACCESS PROCEDURE:

Individuals seeking information on the existence and content of a related record in this system pertaining to them should contact the system manager in writing as indicated above or may write or visit the VA facility location where they normally receive their care.

CONTESTING RECORD PROCEDURES:

Individuals seeking to contest or amend records in this system pertaining to them should contact the system manager in writing as indicated above or inquire in person at the VA health care facility they normally receive their care. A request to contest or amend records must state clearly and concisely what record is being contested, the reasons for contesting it, and the proposed amendment to the record.

NOTIFICATION PROCEDURE:

Generalized notice is provided by the publication of this notice. For specific notice, see Record Access Procedure, above.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

73 FR 72123 (November 26, 2008), 80 FR 11531 (March 3, 2015).