07/02/2026 | Press release | Distributed by Public on 07/02/2026 06:52
Veterans Health Administration (VHA), Department of Veterans Affairs (VA).
Notice of a modified system of records.
Pursuant to the Privacy Act of 1974, notice is hereby given that VA is modifying the system of records titled "Patient Medical Records-VA" (24VA10A7). This system is used for ongoing treatment of individuals and patients; documentation of treatment provided; payment; health care operations such as producing various management and patient follow-up reports; responding to patient and other inquiries; for epidemiological research and other health care related studies; statistical analysis, resource allocation, and planning; providing clinical and administrative support to patient medical care; and determining entitlement and eligibility for VA benefits.
Comments must be received by August 3, 2026. This modified system of records is effective as of July 2, 2026 unless modified by a subsequent notice incorporating any comments received.
Comments may be submitted through www.regulations.gov or mailed to VA Privacy Service, 810 Vermont Avenue NW, Washington, DC 20420. Comments should indicate that they are submitted in response to "Patient Medical Records-VA" (24VA10A7). Comments received will be available at www.regulations.gov for public viewing, inspection, or copies.
Stephania Griffin, Chief Privacy Officer, Veterans Health Administration, [email protected], (704) 245-2492.
VA is modifying the system by revising the System Number; System Location; System Manager; Purpose; Categories of Records in the System; Records Source Categories; Routine Uses of Records Maintained in the System; Policies and Practices for Storage of Records; Policies and Practices for Retrieval of Records; Administrative, Technical and Physical Safeguards; Record Access Procedures; Contesting Record Procedures; and Notification Procedure.
System Number is being updated from 24VA10A7 to 24VA10 to reflect the current VHA organizational routing symbol.
System Location is being amended to "Primary Data Center in Chicago, IL and Continuity of Operations/Disaster Recovery Data Center in Ashburn, VA." Being added are the "VA Boston Development Center," "VA Health Data Repository (HDR), located at the VA National Data Centers," and "VA Records Center and Vault."
System Manager(s) is being amended to remove "Clinical Health Data Repository/Health Data Repository: Director, Clinical Informatics and Data Management Office (10A7A), 810 Vermont Avenue NW, Washington, DC 20420."
Purpose(s) of the System is being amended to replace "automated" with "electronic" and add "telehealth."
Categories of Records in the System: Section (i) is being amended to replace "automated" with "electronic." "Veterans and Beneficiaries Identification and Records Location Subsystem-VA" (38VA23) is being removed from this section as this SORN was rescinded and is now encompassed in "Compensation, Pension, Education, and Vocational Rehabilitation and Employment Records-VA" (58VA21/22/28). Section (ii) is being amended to include "regardless of where health care is provided." Section (iii) is being moved to Section (iv), and the new Section (iii) will state "Federal electronic health record ( e.g., PowerChart, CareAware View, FirstNet, Enterprise Document Management) hosted in the Federal Electronic Health Record (EHR) enclave used by Department of War (DoW), VA and other specific agencies." Section (iv) is being updated to include My VA Health, Message Center, PowerChart, Individual Longitudinal Exposure Record (ILER), Integration Control Number (ICN), Electronic Data Interchange Personal Identifier (EDIPI) and Financial Identification Number (FIN).
Record Source Categories is being amended to remove "Veterans and Beneficiaries Identification and Records Location Subsystem-VA" (38VA23).
Routine Uses will be renumbered in its entirety to address duplicate routine uses (routine uses number 11, 12, and 31) and update language.
Policies and Practices for Retrievability of Records is being amended to add "Integration Control Number (ICN) and Electronic Data Interchange Personal Identifier (EDIPI)."
Administrative, Technical, and Physical Safeguards: Section 2 is being updated to remove "Automated Data Processing (ADP) peripheral devices are generally placed in secure areas or are otherwise protected." Section 4 is being removed, which stated, "Access to the VA Health Data Repository, located at the VA National Data Centers, is generally restricted to Center employees, custodial personnel, Federal Protective Service, and other security personnel. Access to computer rooms is restricted to authorized operational personnel through electronic locking devices. All other persons gaining access to computer rooms are escorted. Information stored in the computer may be accessed by authorized VA employees at remote locations including VA health care facilities, VA Central Office, Veterans Integrated Service Networks (VISN), and Office of Inspector General (OIG) Central Office and field staff. Access is controlled by USAccess card or individually unique passwords/codes that must be changed periodically by the employee." Section 5 is being amended to remove "VA Central Office." New section 7 is being added, which states, "VA Enterprise Cloud data storage conforms to security protocols as stipulated in VA Directives 6500 and 6517. Access control standards are stipulated in specific agreements with Cloud vendors to restrict and monitor access."
Record Access Procedure is being amended to state, "Individuals seeking information regarding access to VA medical records in this system pertaining to them should contact the system manager in writing as indicated above, or may write, call, or visit the last VA facility where medical care was provided. A request for access to records must contain the requester's full name, address and telephone number, be signed by the requester, and describe the records sought in sufficient detail to enable VA personnel to locate them with a reasonable amount of effort."
Contesting Record Procedures is being amended to state, "Individuals seeking to contest or amend records in this system pertaining to them should contact the system manager in writing as indicated above, or may write, call, or visit the last VA facility where medical care was provided. A request to contest or amend records must be signed, state clearly and concisely what record is being contested, the reasons for contesting it, and the proposed amendment to the record."
Notification Procedure section is being amended to state, "Individuals who wish to be notified if a record in this system of records pertains to them should submit the request following the procedures described in "Record Access Procedures," above."
The Report of Intent to Amend a System of Records Notice (Narrative Statement) and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of the Office of Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.
The Senior Agency Official for Privacy, or designee, approved this document and authorized the undersigned to sign and submit the document to the Office of the Federal Register for publication electronically as an official document of the Department of Veterans Affairs. Paul R. Lawrence, Assistant Secretary for Information and Technology and Chief Information Officer, Department of Veterans Affairs approved this document on May 26, 2026 for publication.
"Patient Medical Records-VA" (24VA10).
Unclassified.
Records are maintained at each VA health care facility (in most cases, backup information is stored at off-site locations), VA Enterprise Cloud Data Centers/Amazon Web Services, 1915 Terry Avenue, Seattle, WA 98101 and contracted data repository sites, such as the Cerner Technology Centers (CTC): Primary Data Center in Chicago, IL, and Continuity of Operations/Disaster Recovery Data Center in Ashburn, VA. Subsidiary record information is maintained at the various respective services within the health care facility ( e.g., Pharmacy, Fiscal, Dietetic, Clinical Laboratory, Radiology, Social Work, Psychology) and by individuals, organizations, and/or agencies with which VA has a contract or agreement to perform such services, as VA may deem practicable.
Address locations for VA facilities are listed in Appendix 1 of the biennial publication of the VA Privacy Act Issuances; VA National Data Centers; Federal Records Center; VA Records Center and Vault; VA Boston Development Center, VA Chief Information Office (CIO) Field Offices; Veterans Integrated Service Networks (VISN); and Regional and General Counsel Office.
Director, Health Information Governance, Department of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420.
38 U.S.C. 501(b), 304.
The electronic and paper records may be used for such purposes as: ongoing treatment of individuals and patients including through telehealth; documentation of treatment provided; payment; health care operations such as producing various management and patient follow-up reports; responding to patient and other inquiries; for epidemiological research and other health care related studies; statistical analysis, resource allocation and planning; providing clinical and administrative support to patient medical care; determining entitlement and eligibility for VA benefits; processing and adjudicating benefit claims by Veterans Benefits Administration Regional Office (VARO) staff; for audits, reviews, and investigations conducted by staff of the health care facility, the networks, VA Central Office, and the VA Office of Inspector General (OIG); sharing of health information between and among Veterans Health Administration (VHA), DoW, Indian Health Services (IHS), and other government and private industry health care organizations; quality assurance audits, reviews, and investigations; personnel management and evaluation; employee ratings and performance evaluations; and employee disciplinary or other adverse action, including discharge; advising health care professional licensing or monitoring bodies or similar entities of activities of VA and former VA health care personnel; accreditation of a facility by an entity such as the Joint Commission (TJC); and notifying medical schools of medical students' performance and billing.
1. Veterans who have applied for health care services under Chapter 17 of 38 U.S.C. and members of their immediate families;
2. Spouses, surviving spouses, and children of Veterans who have applied for health care services under Chapter 17 of 38 U.S.C.;
3. Beneficiaries of other Federal agencies;
4. Individuals examined or treated under contract or resource sharing agreements;
5. Individuals examined or treated for research or donor purposes;
6. Individuals who have applied for Title 38 benefits but who do not meet the requirements under Title 38 to receive such benefits;
7. Individuals who were provided medical care under other circumstances, including but not limited to, emergency conditions for humanitarian reasons;
8. Pensioned members of allied forces provided health care services under Chapter I of 38 U.S.C.; and
9. Caregivers.
The medical record is a consolidated health record (CHR) which may include:
(i) An administrative (non-clinical information) record ( e.g., medical benefit application and eligibility information) including information obtained from Veterans Benefits Administration electronic records such as the "Compensation, Pension, Education and Rehabilitation Records-VA" (58VA21/22/28), and correspondence about the individual;
(ii) A medical record (a cumulative account of sociological, diagnostic, counseling, rehabilitation, drug and alcohol, dietetic, medical, surgical, dental, psychological, and/or psychiatric information compiled by VA professional staff regardless of where health care is provided and non-VA health care providers), and
(iii) Federal electronic record information ( e.g., PowerChart, CareAware View, FirstNet, Enterprise Document Management) hosted in the Federal EHR enclave used by (DoW) VA and other specific agencies,
(iv) Subsidiary record information ( e.g., Bed Management Solution (BMS), tumor registry, certain clinically oriented information associated with My Health e Vet/My VA Health such as secure messages and Message Center, minimum data set, Individual Longitudinal Exposure Record (ILER), dental, pharmacy, nuclear medicine, clinical laboratory, radiology, and patient scheduling information). The CHR may also include identifying information ( e.g., name, address, date of birth, VA claim number, social security number); medical record number, integration control number (ICN), Electronic Data Interchange Personal Identifier (EDIPI), Financial Identification Number (FIN), military service information ( e.g., dates, branch and character of service, service number, medical information); family information ( e.g., next of kin and person to notify in an emergency; address information, name, social security number and date of birth for Veteran's spouse and dependents; family medical history information); employment information ( e.g., occupation, employer name and address); financial information ( e.g., family income; assets; expenses; debts; amount and source of income for Veteran, spouse, and dependents); third-party health plan contract information ( e.g., health insurance carrier name and address, policy number, amounts billed and paid); and information pertaining to the individual's medical, surgical, psychiatric, dental, and/or psychological examination, evaluation, and/or treatment ( e.g., information related to the chief complaint and history of present illness; information related to physical, diagnostic, therapeutic special examinations; clinical laboratory, pathology and x-ray findings; operations; medical history; medications prescribed and dispensed; treatment plan and progress; consultations; photographs taken for identification and medical treatment; education and research purposes; facility locations where treatment is provided; observations and clinical impressions of health care providers to include identity of providers and to include, as appropriate, the present state of the patient's health; and an assessment of the patient's emotional, behavioral, and social status, as well as an assessment of the patient's rehabilitation potential and nursing care needs). Abstract information ( e.g., environmental, epidemiological and treatment regimen registries) is maintained in auxiliary paper and electronic records.
The individual receiving care, patients, family members, friends, or accredited representatives, employers; military service departments; health insurance carriers; private medical facilities and health care professionals; State and local agencies; other Federal agencies ( e.g., DoW; VA Regional Offices; VHA national databases; Veterans Benefits Administration automated record systems (the "Compensation, Pension, Education and Rehabilitation Records-VA" (58VA21/22/28); and various electronic systems providing clinical and managerial support to VA health care facilities.
To the extent that records contained in the system include information protected by 45 CFR parts 160 and 164, i.e., individually identifiable health information, and 38 U.S.C. 7332, i.e., medical treatment information related to drug abuse, alcoholism or alcohol abuse, sickle cell anemia, or infection with the Human Immunodeficiency Virus (HIV), that information may not be disclosed under a routine use unless there is also specific statutory authority in 38 U.S.C. 7332 and regulatory authority in 45 CFR parts 160 and 164 permitting disclosure.
1. Government Agencies, Health Organizations, for Claimants' Benefits: To Federal, State, and local government agencies and national health organizations as reasonably necessary to assist in the development of programs that will be beneficial to claimants, to protect their rights under law, and assure that they are receiving all benefits to which they are entitled.
2. Claims Representatives, for Title 38 Benefits: To accredited service organizations, VA-approved claim agents, and attorneys acting under a declaration of representation, upon request, so that these individuals can aid claimants in the preparation, presentation, and prosecution of claims under the laws administered by VA, provided that the disclosure is limited to information relevant to a claim, such as the name, address, the basis and nature of a claim, amount of benefit payment information, medical information, and military service and active duty separation information.
3. Governmental Agencies, for VA Hiring, Security Clearance, Contract, License, Grant: To a Federal, State, local, or other governmental agency maintaining civil or criminal violation records, or other pertinent information, such as employment history, background investigations, or personal or educational background, to obtain information relevant to VA's hiring, transfer, or retention of an employee, issuance of a security clearance, letting of a contract, or issuance of a license, grant, or other benefit. A disclosure of information about Veterans or their dependents from VA claims files under this routine use must also comply with the requirements of 38 U.S.C. 5701(f).
4. Federal Agencies, for Employment: To a Federal agency, except the United States Postal Service, or the District of Columbia government, in response to its request, in connection with that's agency's decision on the hiring, transfer, or retention of an employee, the issuance of a security clearance, the letting of a contract, or the issuance of a license, grant, or other benefit by that agency.
5. Family, Partner, for Notification of Patient Status: To family members or the persons involved in the patient's care or with whom the patient has a meaningful relationship, provided that the disclosure is made by appropriate VA personnel to the extent necessary, on a need-to-know basis, and consistent with good medical ethical practices.
6. Guardians, Courts, for Incompetent Veterans: To a court, magistrate, or administrative tribunal in matters of guardianship, inquests, and commitments; to private attorneys representing Veterans rated incompetent in conjunction with issuance of Certificates of Incompetency; or to probation and parole officers in connection with court-required duties.
7. Guardians Ad Litem, for Representation: To a fiduciary or guardian ad litem in relation to their representation of a claimant in any legal proceeding as relevant and necessary to fulfill the duties of the fiduciary or guardian ad litem.
8. Congress: To a member of Congress or staff requests the information on behalf of, and at the request of, the individual who is the subject of the record.
9. Nonprofits, for Release of Name and Address: To a nonprofit organization if the release is directly connected with the conduct of programs and the utilization of benefits under Title 38 provided that the disclosure is limited the names and addresses of present or former members of the armed services or their beneficiaries, the records will not be used for any purpose other than that stated in the request, and the organization is aware of the penalty provision of 38 U.S.C. 5701(f).
10. Red Cross, for Emergency Leave: To the American Red Cross for the purpose of justifying emergency leave, provided that the disclosure is limited to information about the nature of the patient's illness, probable prognosis, estimated life expectancy, and need for the presence of the related Service Member.
11. Attorneys, Insurers, Employers, for Preparation, Prosecution of Claims: To attorneys, insurance companies, employers, third parties liable or potentially liable under health plan contracts, and courts, boards, or commissions as relevant and necessary to aid VA in the preparation, presentation, and prosecution of claims authorized by law.
12. Researchers, for Research: To epidemiological and other research facilities approved by the Under Secretary for Health for research purposes determined to be necessary and proper, provided that the names and addresses of Veterans and their dependents will not be disclosed unless those names and addresses are first provided to VA by the facilities making the request.
13. Federal Agencies, for Research: To a Federal agency for the purpose of conducting research and data analysis to perform a statutory purpose of that Federal agency upon the written request of that agency.
14. Department of Justice, Litigation, Administrative Proceeding: To the Department of Justice (DoJ) or in a proceeding before a court, adjudicative body, or other administrative body before which VA is authorized to appear, when any of the following is a party to such proceedings or has an interest in such proceedings, and VA determines that use of such records is relevant and necessary to the proceedings:
a. VA or any component thereof;
b. A VA employee in their official capacity;
c. A VA employee in their individual capacity, where DOJ has agreed to represent the employee; or
d. The United States, where VA determines that litigation is likely to affect the agency or any of its components.
15. Health Care Providers, for Referral to VA: To a non-VA health care provider when that health care provider has referred the individual to VA for medical or other health services.
16. National Archives and Records Administration: To National Archives and Records Administration (NARA) in records management inspections conducted under 44 U.S.C. 2904 and 2906, or other functions authorized by laws and policies governing NARA operations and VA records management responsibilities.
17. Third Party, for Benefit or Discharge: To a third party upon the written request of the patient's next-of-kin in order for a non-judicially declared incompetent patient or, consistent with the best interest of the patient, a member of the patient's family to receive a benefit to which the patient or family member is entitled or to arrange for the patient's discharge from a VA medical facility. Sufficient data to make an informed determination will be made available to such next-of-kin. If the patient's next-of-kin is not reasonably accessible, the Chief of Staff, Director, or designee of the custodial VA medical facility may disclose the information for these purposes.
18. State Licensing Boards, for Licensing: To a Federal agency, a State or local government licensing board, the Federation of State Medical Boards, or a similar non-governmental entity that maintains records concerning individuals' employment histories or concerning the issuance, retention, or revocation of licenses, certifications, or registration necessary to practice an occupation, profession, or specialty, to inform such non-governmental entities about the health care practices of a terminated, resigned, or retired health care employee whose professional health care activity so significantly failed to conform to generally accepted standards of professional medical practice as to raise reasonable concern for the health and safety of patients in the private sector or from another Federal agency. These records may also be disclosed as part of an ongoing computer matching program to accomplish these purposes.
19. Public Health Authorities, for Human Immunodeficiency Virus: To a Federal, State, or local public health authority that is charged by law with the protection of the public health, provided that the disclosure is limited to information maintained in connection with the performance of any program or activity relating to infection with Human Immunodeficiency Virus (HIV), if disclosure of the information to that public health authority is required by law, and a qualified representative of such authority has made a written request that such record be provided as required by the law for a purpose authorized by the law. The person to whom information is disclosed should be advised, consistent with 38 U.S.C. 7332(b)(2)(C), that they may not re-disclose or use the information for a purpose other than that for which the disclosure was made. A disclosure of information about Veterans or their beneficiaries from VA claims files under this routine use must comply with the provisions of 38 U.S.C. 5701(f).
20. Partner, for Human Immunodeficiency Virus: To the spouse of the patient or subject, an individual with whom the patient or subject has a meaningful relationship, or an individual whom the patient or subject has identified as being a sexual partner of the patient or subject, provided that the disclosure is limited to information indicating that a patient or subject is infected with HIV and made by a physician or professional counselor during the process of professional counseling or of testing to determine whether the patient or subject is infected with the virus, if the physician or counselor, after making reasonable efforts to counsel and encourage the patient or subject to provide the information to the spouse or sexual partner, determines that the disclosure is necessary to protect the health of the spouse or sexual partner. Such disclosures should, to the extent feasible, be made by the patient's or subject gives consent to being tested for HIV, as part of pre-testing counseling, the patient or subject must be informed fully about these notification procedures.
21. National Practitioner Data Bank for Hiring, Privileging: To the National Practitioner Data Bank at the time of hiring or clinical privileging/re-privileging of health care practitioners, and other times as deemed necessary by VA, in order for VA to obtain information relevant to a Department decision concerning the hiring, privileging/re-privileging, retention, or termination of the applicant or employee.
22. National Practitioner Data Bank, State Licensing Board, for Medical Malpractice: To the National Practitioner Data Bank or State Licensing Board in which a practitioner is licensed, in which the VA facility is located, or in which an act or omission occurred upon which a medical malpractice claim was based when VA reports information concerning:
(a) Any payment for the benefit of a physician, dentist, or other licensed health care practitioner that was made as the result of a settlement or judgment of a claim of medical malpractice, if an appropriate determination is made in accordance with Department policy that payment was related to substandard care, professional incompetence, or professional misconduct on the part of the individual;
(b) A final decision which relates to possible incompetence or improper professional conduct that adversely affects the clinical privileges of a physician or dentist for a period longer than 30 days; or
(c) The acceptance of the surrender of clinical privileges or any restriction of such privileges by a physician or dentist, either while under investigation by the health care entity relating to possible incompetence or improper professional conduct, or in return for not conducting such an investigation or proceeding. These records may also be disclosed as part of a computer matching program to accomplish these purposes.
23. Vets Home, for Treatment: To a State Veterans Home for the purpose of medical treatment or follow-up at the state home when VA makes payment of a per diem rate to the state home for the patient receiving care at such home, and the patient receives VA medical care.
24. Health Care Providers, for Referral by VA: To: (a) a Federal agency or a health care provider when VA refers a patient for medical and other health services, or authorizes a patient to obtain such services and the information is needed by the Federal agency or health care provider to perform the services; or (b) a Federal agency or a health care provider under the provisions of 38 U.S.C. 513, 7409, 8111, or 8153, when treatment is rendered by VA under the terms of such contract or agreement, or the issuance of an authorization, and the information is needed for purposes of medical treatment or follow-up, determination of eligibility for benefits, or recovery by VA of the costs of the treatment.
25. The Joint Commission: To survey teams of The Joint Commission, College of American Pathologists, American Association of Blood Banks, and similar national accrediting agencies or boards with which VA has a contract or agreement to conduct such reviews, as relevant and necessary for the purpose of program review or the seeking of accreditation or certification.
26. Nursing Home, for Pre-Admission Screening: To a non-VA nursing home facility that is considering the patient for admission, when information concerning the individual's medical care is needed for the purpose of preadmission screening under 42 CFR 483.20(f) to identify patients who are mentally ill or mentally retarded so they can be evaluated for appropriate placement.
27. Medical Schools, for Evaluating Students: To a medical or nursing school, or other facility with which VA has an affiliation, sharing agreement, contract, or similar arrangement, provided that the disclosure is limited to information that relates to the performance of a health care student or provider enrolled at or employed by the school or training institution or other facility, and the information is needed for personnel management, rating, or evaluation purposes.
28. Contractors: To contractors, grantees, experts, consultants, students, and others performing or working on a contract, service, grant, cooperative agreement, or other assignment for VA, when reasonably necessary to accomplish an agency function related to the records.
29. Federal Agencies, for Computer Matches: To other Federal agencies for the purpose of conducting computer matches to obtain information to determine or verify eligibility of Veterans receiving VA benefits or medical care under Title 38.
30. Social Security Administration, Department of Health and Human Services, for Social Security Number Validation: To the Social Security Administration, Department of Health and Human Services (HHS) for the purpose of conducting computer matches to obtain information to validate the SSN maintained in VA records.
31. Food and Drug Administration, for Adverse Drug Reaction: To the Food and Drug Administration, HHS provided that the disclosure is limited to information concerning an adverse drug reaction of a patient, for purpose of quality of care management, including detection, treatment, monitoring, reporting, analysis, and follow-up actions pertaining to adverse drug reactions.
32. Federal Agencies, for Recovery of Medical Care Costs: To Federal agencies and Government-wide third-party insurers responsible for payment of the cost of medical care for the identified patients, to seek recovery of the medical care costs. These records may also be disclosed as part of a computer matching program to accomplish this purpose.
33. VA Disciplinary Appeals Board: To a former VA employee, as well as an authorized representative of the employee, whose case is under consideration by the VA Disciplinary Appeals Board pursuant to 38 U.S.C. 7464, in connection with the considerations of the Board, to the extent the Board considers appropriate for purposes of the proceedings of the Board in that case, when authorized by the chairperson of the Board.
34. Partner, for Hepatitis: To the spouse of the patient, the person or subject with whom the patient has a meaningful relationship, or an individual whom the patient or subject has identified as being a sexual partner of the patient or subject, provided that the disclosure is limited to information indicating that a patient or subject is infected with hepatitis C and made by a physician or professional counselor.
35. Federal Labor Relations Authority: To the Federal Labor Relations Authority in connection with the investigation and resolution of allegations of unfair labor practices, the resolution of exceptions to arbitration awards when a question of material fact is raised, matters before the Federal Service Impasses Panel, and the investigation of representation petitions and the conduct or supervision of representation elections.
36. Unions, for Representation: To officials of labor organizations recognized under 5 U.S.C. Chapter 71 provided that the disclosure is limited to information identified in 5 U.S.C. 7114(b)(4) that is relevant and necessary to their duties of exclusive representation concerning personnel policies, practices, and matters affecting working conditions.
37. Merit Systems Protection Board: To the Merit Systems Protection Board in connection with appeals, special studies of the civil service and other merit systems, review of rules and regulations, investigation of alleged or possible prohibited personnel practices, such other functions promulgated in 5 U.S.C. 1205 and 1206, or as otherwise authorized by law.
38. Equal Employment Opportunity Commission: To the Equal Employment Opportunity Commission (EEOC) in connection with investigations of alleged or possible discriminatory practices, examinations of Federal affirmative employment programs, or other functions of the Commission as authorized by law.
39. Health/Welfare Agencies, etc., for Veterans Basic/Emergency Needs: To health and welfare agencies, housing resources, and utility companies, in situations where VA needs to act quickly in order to provide basic or emergency needs for the Veteran and Veteran's family where the family resides with the Veteran or serves as a caregiver.
40. Funeral Homes, for Arrangements: To funeral directors or representatives of funeral homes in order for them to make necessary arrangements prior to and in anticipation of a Veteran's impending death.
41. Food and Drug and Administration, for Adverse Drug Reaction: To the Food and Drug Administration (FDA), or a person subject to the jurisdiction of the FDA, with respect to FDA-regulated products for purposes of reporting adverse events, product defects or problems, or biological product deviations; tracking products; enabling product recalls, repairs, or replacement; or conducting post marketing surveillance.
42. Non-VA Health Care Providers, for Treatment: To a non-VA health care provider, such as the DoW and HHS, for the purpose of treating any VA patient, including Veterans.
43. Phone Operators, for the Hearing-Impaired: To telephone company operators facilitating phone calls to or for hearing-impaired individuals using telephone devices for the hearing-impaired, including Telecommunications Device for the Deaf or Text Telephones.
44. Law Enforcement, for Locating Fugitive: To any Federal, State, local, territorial, tribal, or foreign law enforcement agency in order to identify, locate, or report a known fugitive felon, in compliance with 38 U.S.C. 5313B(d).
45. Organ Procurement Agencies, for Determination of Suitability: To an Organ Procurement Organization, a designated requester that is a non-VA employee, or their designees acting on behalf of local Organ Procurement Organizations, for the purpose of determining suitability of a patient's organs or tissues for organ donation, provided that the information does not reveal medical treatment related to drug abuse, alcoholism or alcohol abuse, sickle cell anemia, or infection with HIV, and the names and addresses of Veterans and their beneficiaries, and the disclosure is made by VA employees who are designated requesters (individuals who have completed a course offered or approved by an Organ Procurement Organization), or their designee.
46. Department of Defense, for Military Mission: To DoW or its components, provided that the disclosure is limited to information regarding individuals treated under 38 U.S.C. 8111A, for the purpose deemed necessary by appropriate military command authorities to assure proper execution of the military mission.
47. Federal Agencies, Fraud and Abuse: To other Federal agencies to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.
48. Data Breach Response and Remediation, for VA: To appropriate agencies, entities, and persons when: (a) VA suspects or has confirmed that there has been a breach of the system of records; (b) VA has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, VA (including its information systems, programs, and operations), the Federal Government, or national security; and (c) the disclosure made to such agencies, entities, or persons is reasonably necessary to assist in connection with VA's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.
49. Health Care Effectiveness Data and Information Set Quality Review: To health plans, quality review and/or peer review organizations in connection with the audit of claims or other review activities to determine quality of care or compliance with professionally accepted claims processing standards.
50. Travel Agencies: To travel agencies, transportation carriers, or others authorized to act on behalf of VA to provide or arrange travel for examination, treatment, or care, or in connection with vocational rehabilitation or counseling services.
51. Former Employee or Contractor, Representative, for Litigation Involving Individual: To a former VA employee or contractor, as well as the authorized representative of a current or former employee or contractor of VA, in pending or reasonably anticipated litigation against the individual regarding health care provided during the period of their employment or contract with VA.
52. Former Employee or Contractor, Representative, for Litigation Involving VA: To a former VA employee or contractor, as well as the authorized representative of a current or former employee or contractor of VA, in defense or reasonable anticipation of a tort claim, litigation, or other administrative or judicial proceeding involving VA when the Department requires information or consultation assistance from the former employee or contractor regarding health care provided during the period of their employment or contract with VA.
53. Former Employee or Contractor, Representative, for Malpractice: To a former VA employee or contractor, as well as the authorized representative of a current or former employee or contractor of VA, in connection with or in consideration of the reporting of:
a. Any payment for the benefit of the former VA employee or contractor that was made as the result of a settlement or judgment of a claim of medical malpractice, if an appropriate determination is made in accordance with Department policy that payment was related to substandard care, professional incompetence, or professional misconduct on the part of the individual;
b. A final decision which relates to possible incompetence or improper professional conduct that adversely affects the former employee's or contractor's clinical privileges for a period longer than 30 days; or
c. The former employee's or contractor's surrender of clinical privileges or any restriction of such privileges while under investigation by the health care entity relating to possible incompetence or improper professional conduct to the National Practitioner Data Bank or the state licensing board in any state in which the individual is licensed, the VA facility is located, or an act or omission occurred upon which a medical malpractice claim was based.
54. Former Employee or Contractor, Representative, for State Licensing Board Reporting: To a former VA employee or contractor, as well as the authorized representative of a current or former employee or contractor of VA, in connection with or in consideration of reporting that the individual's professional health care activity so significantly failed to conform to generally accepted standards of professional medical practice as to raise reasonable concern for the health and safety of patients, to a Federal agency, a state or local government licensing board, or the Federation of State Medical Boards or a similar nongovernmental entity that maintains records concerning individuals' employment histories or concerning the issuance, retention, or revocation of licenses, certifications, or registration necessary to practice an occupation, profession, or specialty.
55. Former Employee or Contractor, Representative, for Equal Employment Opportunity Commission: To a former VA employee or contractor, as well as the authorized representative of a current or former employee or contractor of VA, in connection with investigations by the EEOC pertaining to alleged or possible discrimination practices, examinations of Federal affirmative employment programs, or other functions of the Commission as authorized by law or regulation.
56. Former Employee or Contractor, Representative, for Merit Systems Protection Board, Office of Special Counsel: To a former VA employee or contractor, as well as the authorized representative of a current or former employee or contractor of VA, in proceedings before the Merit Systems Protection Board or the Office of Special Counsel in connection with appeals, special studies of the civil service and other merit systems, review of rules and regulations, investigation of alleged or possible prohibited personnel practices, and such other functions promulgated in 5 U.S.C. 1205 and 1206, or as otherwise authorized by law.
57. State Prescription Drug Monitoring Program: To a State Prescription Drug Monitoring Program, or similar program, for the purpose of submitting to or receiving from the program information regarding prescriptions to an individual for controlled substances, as required under the applicable State law.
58. Centers for Medicare & Medicaid Services: To the Centers for Medicare and Medicaid Services and/or their designee to evaluate compliance with Medicare or Medicaid health care standards.
59. Department of War and Defense Health Agency: To DoW for the purpose of VA health care operations as defined in the Health Insurance Portability and Accountability Act of 1996 Privacy Rule, 45 CFR parts 160 and 164 and to Defense Health Agency (DHA), as a health care provider, for the purpose of DHA heath care operations.
60. Data Breach Response and Remediation, for Another Federal Agency: To another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (a) responding to a suspected or confirmed breach or (b) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.
61. Health Data Exchange Organizations: To an organization with whom VA has a documented partnership, arrangement or agreement ( e.g., Health Information Exchange, Health Information Service Provider Direct, CommonWell Health Alliance network), for the purpose of identifying and correlating patients.
62. Centers for Disease Control and Prevention: To the Centers for Disease Control and Prevention and/or its designee in response to its request or at the initiation of VA, in connection with disease-tracking, patient outcomes, bio-surveillance, or other health information required for program accountability.
63. Cardiac Arrest Registry to Enhance Survival (CARES) Program: To local communities to identify and track cases of hospital cardiac arrest and identify opportunities for quality improvement in the intervention, treatment and survival of such events.
64. Health Care Operations of a Federal Covered Entity: To Federal health care providers, for the purpose of performing quality improvement activities or other health care operations of the recipient Federal health care provider.
Records are maintained on paper, microfilm, electronic media including images and scanned documents, or laser optical media in the consolidated health record at the health care facility where care was rendered, in the VA Health Data Repository, at Federal Record Centers and Oracle Health Technology Centers. In most cases, copies of backup computer files are maintained at offsite locations. Subsidiary record information is maintained at the various respective services within the health care facility ( e.g., pharmacy, fiscal, dietetic, clinical laboratory, radiology, social work, psychology) and by individuals, organizations, and/or agencies with whom VA has a contract or agreement to perform such services, as the VA may deem practicable.
Records are retrieved by name, SSN, ICN, EDIPI, FIN, medical record number or other assigned identifiers of the individuals to whom they pertain.
Records in this system are retained and disposed of in accordance with the records disposition authority approved by the Archivist of the United States, VHA Records Control Schedule (RCS 10-1), Chapter 6, 6000.1d (N1-15-91-6, Item 1d) and 6000.2b (N1-15-02-3, Item 3).
1. Access to working spaces and patient medical record storage areas in VA health care facilities is restricted to authorized VA employees. Generally, filing areas are locked after normal duty hours. Health care facilities are protected from outside access by the Federal Protective Service and/or other security personnel. Access to patient medical records is restricted to VA employees who have a need for information in the performance of their official duties. Sensitive patient medical records, including employee patient medical records, records of public figures, or other sensitive patient medical records are generally stored in separate locked files or a similar electronically controlled access environment. Strict control measures are enforced to ensure that access to and disclosures from these patient medical records are limited.
2. Access to computer rooms within health care facilities is generally limited by appropriate locking devices and restricted to authorized VA employees and vendor personnel. Only authorized VA employees or vendor employees may access information in the system. Access to file information is controlled at two levels: the system recognizes authorized employees by a series of individually unique passwords/codes as a part of each data message, and the employees are limited to only that information in the file that is needed in the performance of their official duties. Information that is downloaded and maintained on personal computers must be afforded similar storage and access protections as the data that is maintained in the original files. Access by remote data users such as Veteran Outreach Centers, Veteran Service Officers with power of attorney to assist with claim processing, VARO staff for benefit determination and processing purposes, OIG staff conducting official audits or investigations, and other authorized individuals is controlled in the same manner.
3. Access to the VA National Data Centers is generally restricted to Center employees, custodial personnel, Federal Protective Service, and other security personnel. Access to computer rooms is restricted to authorized operational personnel through electronic locking devices. All other persons gaining access to computer rooms are escorted. Information stored in the computer may be accessed by authorized VA employees at remote locations including VA health care facilities, VA Central Office, VISNs, and OIG Central Office and field staff. Access is controlled by individually unique passwords/codes that must be changed periodically by the employee.
4. Access to records maintained at the VA Boston Development Center, Chief Information Office Field Offices, and VISNs are restricted to VA employees who have a need for the information in the performance of their official duties. Access to information stored in electronic format is controlled by USAccess card or individually unique passwords/codes. Records are maintained in manned rooms during working hours. The facilities are protected from outside access during non-working hours by the Federal Protective Service or other security personnel.
5. Computer access authorizations, computer applications available and used, information access attempts, and frequency and time of use are recorded.
6. Access to Oracle Health Technology Centers is generally restricted to Oracle Health employees, contractors or associates with an Oracle Health issued ID badge and other security personnel cleared for access to the data center. Access to computer rooms housing Federal data, hence Federal enclave, is restricted to persons Federally cleared for Federal enclave access through electronic badge entry devices. All other persons, such as custodians, gaining access to Federal enclave are escorted.
7. VA Enterprise Cloud data storage conforms to security protocols as stipulated in VA Directives 6500 and 6517. Access control standards are stipulated in specific agreements with Cloud vendors to restrict and monitor access.
Individuals seeking information regarding access to VA medical records in this system pertaining to them should write, call or visit the Release of Information Office at the last VA health care facility where medical care was provided. A request for access to records must contain the requester's full name, address and telephone number, be signed by the requester and describe the records sought in sufficient detail to enable VA personnel to locate them with a reasonable amount of effort.
Individuals seeking to contest or amend records in this system pertaining to them should write, call or visit the Release of Information Office at the last VA health care facility where medical care was provided. A request to contest or amend records must state clearly and concisely what record is being contested, the reasons for contesting it, and the proposed amendment to the record.
Individuals who wish to be notified if a record in this system of records pertains to them should submit the request following the procedures described in "Record Access Procedures," above.
None.
69 FR 18428 (April 7, 2004); 79 FR 47732 (August 14, 2014); 85 FR 62406 (October 2, 2020)