Privacy Act of 1974; System of Records

Issuing agencies

Abstract

Pursuant to the Privacy Act of 1974, notice is hereby given that the VA is modifying the system of records titled, "Veteran, Patient, Employee, and Volunteer Research and Development Project Records-VA" (34VA10). This system of records is used to determine eligibility for research funding, to determine handling of intellectual properties, to manage proposed and/or approved research endeavors, and to evaluate the research and development program. This system may also be used for data analysis to address specific questions and gain generalizable knowledge and deepen understanding of a topic or issue.

Full Text

<html>
<head>
<title>Federal Register, Volume 90 Issue 156 (Friday, August 15, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 156 (Friday, August 15, 2025)]
[Notices]
[Pages 39475-39479]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-15588]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Veterans Health Administration (VHA), Department of Veterans 
Affairs (VA).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the Privacy Act of 1974, notice is hereby given 
that the VA is modifying the system of records titled, ``Veteran, 
Patient, Employee, and Volunteer Research and Development Project 
Records-VA'' (34VA10). This system of records is used to determine 
eligibility for research funding, to determine handling of intellectual 
properties, to manage proposed and/or approved research endeavors, and 
to evaluate the research and development program. This system may also 
be used for data analysis to address specific questions and gain 
generalizable knowledge and deepen understanding of a topic or issue.

DATES: Comments on this modified system of records must be received no 
later than 30 days after date of publication in the Federal Register. 
If no public comment is received during the period allowed for comment 
or unless otherwise published in the Federal Register by VA, the new 
system of records will become effective a minimum of 30 days after date 
of publication in the Federal Register. If VA receives public comments, 
VA shall review the comments to determine whether any changes to the 
notice are necessary.

ADDRESSES: Comments may be submitted through <a href="http://www.Regulations.gov">www.Regulations.gov</a> or 
mailed to VA Privacy Service, 810 Vermont Avenue NW, (005X6F), 
Washington, DC 20420. Comments should indicate that they are submitted 
in response to ``Veteran, Patient, Employee, and Volunteer Research and 
Development Project Records-VA'' (34VA10). Comments received will be 
available at <a href="http://regulations.gov">regulations.gov</a> for public viewing, inspection or copies.

FOR FURTHER INFORMATION CONTACT: Stephania Griffin, VHA Chief Privacy 
Officer, 810 Vermont Avenue NW, (10DH03A), Washington, DC 20420, 
<a href="/cdn-cgi/l/email-protection#45363120352d242b2c246b22372c23232c2b0533246b222a33"><span class="__cf_email__" data-cfemail="64171001140c050a0d054a03160d02020d0a2412054a030b12">[email&#160;protected]</span></a>, telephone number 704-245-2492. (Note: This is 
not a toll-free number).

SUPPLEMENTARY INFORMATION: VA is modifying this system of records by 
revising the System Location; System Manager; Records Source 
Categories; Routine Uses of Records Maintained in

[[Page 39476]]

the System; Policies and Practices for Retention and Disposal of 
Records, and Administrative, Technical, and Physical Safeguards, and 
Notification Procedure. VA is republishing the system notice in its 
entirety.
    The System Location is being updated to include that records are 
also located at the VA Enterprise Cloud Data Centers/Amazon Web 
Services, 1915 Terry Avenue, Seattle, WA 98101.
    The System Manager has been updated to include 
<a href="/cdn-cgi/l/email-protection#287e60697a4d5b4d495a4b40785a415e494b51685e49064f475e"><span class="__cf_email__" data-cfemail="c7918f8695a2b4a2a6b5a4af97b5aeb1a6a4be87b1a6e9a0a8b1">[email&#160;protected]</span></a>.
    The Records Source Categories has been updated to add research team 
members to, ``(8) research and development investigators'' as well as 
``(11) research sponsors and (12) other VA research subjects.''
    Policies and Practices for Retention and Storage of Records is 
being amended to state: ``Records in this system are retained and 
disposed of in accordance with the schedule approved by the Archivist 
of the United States, VHA Records Control Schedule 10-1, Item Number 
8300.6.''
    The following Routine Uses were updated for clarification purposes: 
Routine Use number 1 is being amended to state: ``Governmental 
Agencies, Health Organizations, for Claimants' Benefits: VA may 
disclose information to Federal, state, and local government agencies 
and national health organizations as reasonably necessary to assist in 
the development of programs that will be beneficial to claimants, to 
protect their rights under law, and assure that they are receiving all 
benefits to which they are entitled.
    Routine Use number 2 is being amended to state, ``Law Enforcement: 
VA may disclose information that, either alone or in conjunction with 
other information, indicates a violation or potential violation of law, 
whether civil, criminal, or regulatory in nature, to a Federal, state, 
local, territorial, tribal, or foreign law enforcement authority or 
other appropriate entity charged with the responsibility of 
investigating or prosecuting such violation or charged with enforcing 
or implementing such law. The disclosure of the names and addresses of 
Veterans and their dependents from VA records under this routine use 
must also comply with the provisions of 38 U.S.C. 5701. If the 
disclosure is in response to a request from a law enforcement entity, 
the request must meet the requirements for a qualifying law enforcement 
request under the Privacy Act, 5 U.S.C. 552a(b)(7).''
    Routine Use number 10 is being amended to state, ``Former Employee 
or Contractor, Representative, for State Licensing Board Reporting: VA 
may disclose information to a former VA employee or contractor, as well 
as the authorized representative of a current or former employee or 
contractor of VA, in connection with or in consideration of reporting 
that the individual's professional health care activity so 
significantly failed to conform to generally accepted standards of 
professional medical practice as to raise reasonable concern for the 
health and safety of patients, to a Federal agency, a state or local 
government licensing board, or the Federation of State Medical Boards 
or a similar non-governmental entity that maintains records concerning 
individuals' employment histories or concerning the issuance, 
retention, or revocation of licenses, certifications, or registration 
necessary to practice an occupation, profession, or specialty.''
    Routine uses number 21 is being added to state, ``Federal Agencies, 
for Research: VA may disclose information to a Federal agency for the 
purpose of conducting research and data analysis to perform a statutory 
purpose of that Federal agency upon the prior written request of that 
agency.''
    The Administrative, Technical, and Physical Safeguards section is 
being updated to include, ``The system is hosted in Amazon Web Services 
Government Cloud infrastructure as a service cloud computing 
environment that has been authorized at the high-impact level under the 
Federal Risk and Authorization Management Program. The secure site-to-
site encrypted network connection is limited to access via the VA 
trusted internet connection.''
    The Notification Procedures section is being updated to state `` 
``Individuals who wish to be notified if a record in this system of 
records pertains to them should submit the request following the 
procedures described in ``Record Access Procedures,'' above.''
    The Report of Intent to Amend a System of Records Notice and an 
advance copy of the system notice have been sent to the appropriate 
Congressional committees and to the Director of the Office of 
Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy 
Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

Signing Authority

    The Senior Agency Official for Privacy, or designee, approved this 
document and authorized the undersigned to sign and submit the document 
to the Office of the Federal Register for publication electronically as 
an official document of the Department of Veterans Affairs. Eddie Pool, 
Deputy Chief Information Officer, Connectivity and Collaboration 
Services, Performing the Delegable Duties of the Assistant Secretary 
for Information and Technology and Chief Information Officer, approved 
this document on June 10, 2025 for publication.

     Dated: 8/13/2025.
Saurav Devkota,
Government Information Specialist, VA Privacy Service, Office of 
Compliance, Risk and Remediation, Office of Information and Technology, 
Department of Veterans Affairs.

SYSTEM NAME AND NUMBER:
    ``Veteran, Patient, Employee, and Volunteer Research and 
Development Project Records-VA'' (34VA10)

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Records are maintained at each Department of Veterans Affairs (VA) 
health care facility where the research project was conducted, at VA 
facilities where research administration or oversight activities occur, 
and at VA Central Office. Address locations are listed in VA Appendix 1 
of the biennial Privacy Act Issuance publication. In addition, records 
are maintained at contractor and fieldwork sites as studies are 
developed, data collected, and reports written. Records are also 
located at the VA Enterprise Cloud/Amazon Web Services, 1915 Terry 
Avenue, Seattle, WA 98101.

SYSTEM MANAGER(S):
    Director of Office of Research Protections, Policy and Education, 
<a href="/cdn-cgi/l/email-protection#085e40495a6d7b6d697a6b60587a617e696b71487e69266f677e"><span class="__cf_email__" data-cfemail="f4a2bcb5a69187919586979ca4869d8295978db48295da939b82">[email&#160;protected]</span></a> or Office of Research and Development, 
Department of Veterans Affairs, 810 Vermont Ave. NW, Washington, DC 
20420. Telephone number 202-443-5681. (Note: this is not a toll-free 
number)

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    38 U.S.C. 7301.

PURPOSE(S) OF THE SYSTEM:
    The system may be used to determine eligibility for research 
funding, to determine handling of intellectual properties, to manage 
proposed and/or approved research endeavors, and to evaluate the 
research and development program. The system may also be used for data 
analysis to answer a specific question and obtain generalizable 
knowledge and increased understanding of a topic or issue.

[[Page 39477]]

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The following categories of individuals will be covered by this 
system: (1) Veterans; (2) patients; (3) employees; (4) volunteers 
(e.g., caregivers, non-patient/non-Veterans, VA research subjects) in 
research projects being performed by VA, by a VA contractor or by 
another Federal agency in conjunction with VA; (5) members of research 
committee or subcommittees; and (6) research and development 
investigators and research and development employees.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Records, or information contained in records, vary according to the 
specific research involved or research related activity involved and 
may include: (1) Research on biomedical, prosthetic and health care 
services; (2) research stressing spinal cord injuries and diseases and 
other disabilities that tend to result in paralysis of the lower 
extremities; and (3) morbidity and mortality studies on former 
prisoners of war; (4) research related to injuries sustained while on 
active duty military service such as traumatic amputations, traumatic 
brain injury, and burns; (5) electronic or other databases containing 
research information developed during a research project(s) or for 
future research; (6) research information management systems such as 
the Research and Development Information System (RDIS); (7) copies of 
medical records of research participants; (8) merit review of the 
research projects; (9) review and evaluation of proposed research; (10) 
continuing review and oversight of ongoing research; (11) evaluations 
performed by research committees; (12) a review and evaluation of the 
research and development investigators and of the participants in the 
program; and (13) a contracted research review system. The review and 
evaluation information concerning the research and development 
investigators may include personal and educational background 
information as well as specific information concerning the type of 
research conducted. Invention records contain: a certification page, 
describing the place, time, research support related to the invention 
and co-inventors; Technology Transfer Program Invention Evaluation 
Sheet Internal or External Invention Assessment reports; RDIS reports 
or other research information management system reports contain 
compliance information involving research projects conduct, support and 
oversight; Correspondence; and the Office of General Counsel Letter of 
Determination.

RECORD SOURCE CATEGORIES:
    (1) Patients and patient records, (2) employees and volunteers, (3) 
other Federal agencies, (4) National Institutes of Health, (5) Centers 
for Disease Control (Atlanta, Georgia), (6) individual Veterans, (7) 
other VA systems of records and information technology systems or 
databases, (8) research and development investigators and research team 
members, (9) research and development databases, (10) non-subjects, 
(11) research sponsors, and (12) other VA research subjects.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    To the extent that records contained in the system include 
protected health information subject to the Health Insurance 
Portability and Accountability Act (HIPAA) Privacy Rule that 
information cannot be disclosed under a routine use unless there is 
also specific statutory authority in 38 U.S.C. 7332 and regulatory 
authority in 45 CFR parts 160 and 164, permitting disclosure.
    1. Governmental Agencies, Health Organizations, for Claimants' 
Benefits: To Federal, state, and local government agencies and national 
health organizations as reasonably necessary to assist in the 
development of programs that will be beneficial to claimants, to 
protect their rights under law, and assure that they are receiving all 
benefits to which they are entitled.
    2. Law Enforcement Authorities, for Reporting Violations of Law: To 
a Federal, state, local, territorial, tribal, or foreign law 
enforcement authority or other appropriate entity charged with the 
responsibility of investigating or prosecuting a violation or potential 
violation of law, whether civil, criminal, or regulatory in nature, or 
charged with enforcing or implementing such law, provided that the 
disclosure is limited to information that, either alone or in 
conjunction with other information, indicates such a violation or 
potential violation. A disclosure of information about veterans or 
their dependents from VA claims files under this routine use must also 
comply with the requirements of 38 U.S.C. 5701(f).
    3. Congress: To a Member of Congress or staff acting upon the 
Member's behalf when the Member or staff requests the information on 
behalf of, and at the request of, the individual who is the subject of 
the record.
    4. National Archives and Records Administration (NARA): To NARA in 
records management inspections conducted under 44 U.S.C. 2904 and 2906, 
or other functions authorized by laws and policies governing NARA 
operations and VA records management responsibilities.
    5. Researchers, for Research: To epidemiological and other research 
facilities approved by the Under Secretary for Health for research 
purposes determined to be necessary and proper, provided that the names 
and addresses of Veterans and their dependents will not be disclosed 
unless those names and addresses are first provided to VA by the 
facilities making the request.
    6. Nonprofits, for Release of Name and Address: To a nonprofit 
organization if the release is directly connected with the conduct of 
programs and the utilization of benefits under title 38, provided that 
the disclosure is limited the names and addresses of present or former 
members of the armed services or their beneficiaries, the records will 
not be used for any purpose other than that stated in the request, and 
the organization is aware of the penalty provision of 38 U.S.C. 
5701(f).
    7. Federal Agencies, for VA Research: To conduct VA research, 
names, addresses, and Social Security Numbers may be disclosed to other 
Federal and state agencies for the purpose of the Federal or state 
agency disclosing information on the individuals back to VA.
    8. General Public, Governmental and Non-governmental Agencies, and 
Commercial Organizations, from VA approved research: Upon request for 
research project data from VA approved research, the following 
information will be released to the general public, including 
governmental and non-governmental agencies and commercial 
organizations: Project title and number; name and educational degree of 
principal investigator unless the release of this information would 
place the investigator at risk (physical, professional, etc.); Veterans 
Health Administration medical center location; type (initial, progress, 
or final) and date of last report; name and educational degree of 
associate investigators unless the release of this information would 
place the investigator at risk (physical, professional, etc.); project 
abstract if the project is ongoing, and project summary if the project 
has been completed. In addition, upon specific request, keywords and 
indexing codes will be included for each project.
    9. General Public, Governmental and Non-governmental Agencies, and 
Commercial Organizations, for VA employees: Upon request for

[[Page 39478]]

information regarding VA employees conducting research, the following 
information will be released to the general public, including 
governmental agencies and commercial organizations: Name and 
educational degree of investigator; VHA title; academic affiliation and 
title; hospital service; primary and secondary specialty areas and 
subspecialty unless the release of this information would place the 
investigator at risk (physical, professional, etc.)
    10. Former Employee or Contractor, Representative, for State 
Licensing Board (SLB) Reporting: VA may disclose information to a 
former VA employee or contractor, as well as the authorized 
representative of a current or former employee or contractor of VA, in 
connection with or in consideration of reporting that the individual's 
professional health care activity so significantly failed to conform to 
generally accepted standards of professional medical practice as to 
raise reasonable concern for the health and safety of patients, to a 
Federal agency, a state or local government licensing board, or the 
Federation of State Medical Boards or a similar non-governmental entity 
that maintains records concerning individuals' employment histories or 
concerning the issuance, retention, or revocation of licenses, 
certifications, or registration necessary to practice an occupation, 
profession, or specialty.
    11. National Practitioner Data Bank (NPDB), for Hiring, 
Privileging: To the NPDB at the time of hiring or clinical privileging/
re-privileging of health care practitioners, and other times as deemed 
necessary by VA, in order for VA to obtain information relevant to a 
Department decision concerning the hiring, privileging/re-privileging, 
retention, or termination of the applicant or employee.
    12. NPDB, SLB, for Medical Malpractice: To the National 
Practitioner Data Bank or an SLB in the state in which a practitioner 
is licensed, in which the VA facility is located, or in which an act or 
omission occurred upon which a medical malpractice claim was based when 
VA reports information concerning: (1) Any payment for the benefit of a 
physician, dentist, or other licensed health care practitioner that was 
made as the result of a settlement or judgment of a claim of medical 
malpractice, if an appropriate determination is made in accordance with 
Department policy that payment was related to substandard care, 
professional incompetence, or professional misconduct on the part of 
the individual; (2) a final decision that relates to possible 
incompetence or improper professional conduct that adversely affects 
the clinical privileges of a physician or dentist for a period longer 
than 30 days; or (3) the acceptance of the surrender of clinical 
privileges or any restriction of such privileges by a physician or 
dentist, either while under investigation by the health care entity 
relating to possible incompetence or improper professional conduct, or 
in return for not conducting such an investigation or proceeding. These 
records may also be disclosed as part of a computer matching program to 
accomplish these purposes.
    13. Qualified Reviewers, for Application Review Process: 
Information concerning individuals who have submitted research program 
proposals for funding, including the investigator's name, Social 
Security Number, research qualifications and the investigator's 
research proposal, may be disclosed to qualified reviewers for their 
opinion and evaluation of the applicants and their proposals as part of 
the application review process.
    14. Department of Justice (DoJ) for Litigation or Administrative 
Proceeding: To the Department of Justice (DoJ), or in a proceeding 
before a court, adjudicative body, or other administrative body before 
which VA is authorized to appear, when any of the following is a party 
to such proceedings or has an interest in such proceedings, and VA 
determines that use of such records is relevant and necessary to the 
proceedings:
    (a) VA or any component thereof;
    (b) A VA employee in their official capacity;
    (c) A VA employee in their individual capacity where DoJ has agreed 
to represent the employee; or
    (d) The United States, where VA determines that litigation is 
likely to affect the agency or any of its components.
    15. Affiliated Intellectual Property Partners: To affiliated 
intellectual property partners to aid in the possible use, interest in, 
or ownership rights in VA intellectual property.
    16. Individual, Merit Review: To an individual concerning merit 
review of proposals submitted by that individual, except that 
information concerning a third party, such as the name or other 
identifying information about the qualified reviewer of the proposal.
    17. Federal Agencies, Fraud and Abuse: To other Federal agencies to 
assist such agencies in preventing and detecting possible fraud or 
abuse by individuals in their operations and programs.
    18. Data Breach Response and Remediation, for VA: To appropriate 
agencies, entities, and persons when (1) VA suspects or has confirmed 
that there has been a breach of the system of records, (2) VA has 
determined that as a result of the suspected or confirmed breach there 
is a risk of harm to individuals, VA (including its information 
systems, programs, and operations), the Federal Government, or national 
security; and (3) the disclosure made to such agencies, entities, and 
persons is reasonably necessary to assist in connection with VA's 
efforts to respond to the suspected or confirmed breach or to prevent, 
minimize, or remedy such harm.
    19. Contractors: To contractors, grantees, experts, consultants, 
students, and others performing or working on a contract, service, 
grant, cooperative agreement, or other assignment for VA, when 
reasonably necessary to accomplish an agency function related to the 
records.
    20. Data Breach Response and Remediation, for Another Federal 
Agency: To another Federal agency or Federal entity, when VA determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (1) responding to a suspected 
or confirmed breach or (2) preventing, minimizing, or remedying the 
risk of harm to individuals, the recipient agency or entity (including 
its information systems, programs, and operations), the Federal 
Government, or national security, resulting from a suspected or 
confirmed breach.
    21. Federal Agencies, for Research: To a Federal agency for the 
purpose of conducting research and data analysis to perform a statutory 
purpose of that Federal agency upon the prior written request of that 
agency.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are stored in (1) Paper documents, (2) microscope slides, 
(3) magnetic tape or disk or other electronic media, (4) photographs, 
(5) microfilm, (6) web-based cloud storage systems, and (7) recordings 
(audio and video).

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are retrieved by individual identifiers and indexed by a 
specific project site or location, project number, or under the name of 
the research or development investigator.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records in this system are retained and disposed of in accordance 
with the

[[Page 39479]]

schedule approved by the Archivist of the United States, VHA Records 
Control Schedule 10-1, Item Number 8300.6.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    VA will maintain the data in compliance with applicable VA security 
policy directives that specify the standards that will be applied to 
protect sensitive personal information. Access to VA working space and 
medical record storage areas is restricted to VA employees on a ``need-
to-know'' basis.
    Generally, VA file areas are locked after normal duty hours and 
protected from outside access by the Federal Protective Service. 
Employee file records and file records of public figures or otherwise 
sensitive medical record files are stored in separate locked files. 
Access to automated information systems is protected by an approved 
form of two factor authentication and communications are encrypted at 
rest and in transit.
    Access to a contractor's records and their system of computers used 
with the particular project are available to authorized personnel only. 
Records on investigators stored on automated storage media are 
accessible by authorized VA personnel via VA computers or computer 
systems. They are required to take annual VA mandatory data privacy and 
security training. Security complies with applicable Federal 
Information Processing Standards issued by the National Institute of 
Standards and Technology. Contractors and their subcontractors who 
access the data are required to maintain the same level of security as 
VA employees.
    The system is hosted in Amazon Web Services Government Cloud 
infrastructure as a service cloud computing environment that has been 
authorized at the high-impact level under the Federal Risk and 
Authorization Management Program. The secure site-to-site encrypted 
network connection is limited to access via the VA trusted internet 
connection.

RECORD ACCESS PROCEDURE:
    Individuals seeking information regarding the existence and content 
of records in this system related to research project submissions or 
participation in research projects may write, call or visit the VA 
location where the records were initially generated. A request for 
access to records must contain the requester's full name, address, 
telephone number, be signed by the requester, and describe the records 
sought in sufficient detail to enable VA personnel to locate them with 
a reasonable amount of effort.

CONTESTING RECORD PROCEDURES:
    Individuals seeking to contest or amend records in this system 
related to research project submissions or participation in research 
projects may write, call or visit the VA location where the records 
were initially generated. A request to contest or amend records must 
state clearly and concisely what record is being contested, the reasons 
for contesting it, and the proposed amendment to the record.

NOTIFICATION PROCEDURE:
    Individuals who wish to be notified if a record in this system of 
records pertains to them should submit the request following the 
procedures described in ``Record Access Procedures,'' above.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    40 FR 38095 (August 26, 1975), 59 FR 16705 (March 27, 2001), 75 FR 
29818 (May 27, 2010), 86 FR 33015 (June 23, 2021).

[FR Doc. 2025-15588 Filed 8-14-25; 8:45 am]
BILLING CODE 8320-01-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>