Federal & State Lawfederalstatelaw.com
Home/Federal/Federal Register/2025-15590
Notice2025-15590

Privacy Act of 1974; System of Records

Primary source

Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.

Published
August 15, 2025

Issuing agencies

Veterans Affairs Department

Abstract

Pursuant to the Privacy Act of 1974, notice is hereby given that VA is modifying the system of records titled, "Non-VA Care (Fee) Records-VA" (23VA10NB3). This system is used to establish, determine, and monitor eligibility to receive VA benefits and for authorizing and paying Non- VA health care services furnished to veterans and beneficiaries.

Full Text

<html>
<head>
<title>Federal Register, Volume 90 Issue 156 (Friday, August 15, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 156 (Friday, August 15, 2025)]
[Notices]
[Pages 39485-39490]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-15590]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Veterans Health Administration (VHA), Department of Veterans 
Affairs (VA).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the Privacy Act of 1974, notice is hereby given 
that VA is modifying the system of records titled, ``Non-VA Care (Fee) 
Records-VA'' (23VA10NB3). This system is used to establish, determine, 
and monitor

[[Page 39486]]

eligibility to receive VA benefits and for authorizing and paying Non-
VA health care services furnished to veterans and beneficiaries.

DATES: Comments on this new system of records must be received no later 
than 30 days after the date of publication in the Federal Register. If 
no public comment is received during the period allowed for comment or 
unless otherwise published in the Federal Register by VA, the new 
system of records will become effective a minimum of 30 days after date 
of publication in the Federal Register. If VA receives public comments, 
VA shall review the comments to determine whether any changes to the 
notice are necessary.

ADDRESSES: Comments may be submitted through <a href="http://www.Regulations.gov">www.Regulations.gov</a> or 
mailed to VA Privacy Service, 810 Vermont Avenue NW, (005X6F), 
Washington, DC 20420. Comments should indicate that they are submitted 
in response to ``Non-VA Care (Fee) Records-VA'' (23VA10NB3). Comments 
received will be available at <a href="http://regulations.gov">regulations.gov</a> for public viewing, 
inspection, or copies.

FOR FURTHER INFORMATION CONTACT: Stephania Griffin, VHA Chief Privacy 
Officer, 810 Vermont Avenue NW, (10DH03) Washington, DC 20420, 
<a href="/cdn-cgi/l/email-protection#9ccfe8f9ecf4fdf2f5fdb2dbeef5fafaf5f2dceafdb2fbf3ea"><span class="__cf_email__" data-cfemail="3a694e5f4a525b54535b147d48535c5c53547a4c5b145d554c">[email&#160;protected]</span></a>, or at telephone number 704-245-2492 (Note: 
This is not a toll-free number.)

SUPPLEMENTARY INFORMATION: VA is modifying the system of records by 
revising the System Number; System Location; System Manager; Routine 
Uses of Records Maintained in the System, including Categories of Users 
and the Purposes of such Uses; Policies and Practices for Storage of 
Records; Policies and Practices for Retention and Disposal of Records; 
and Administrative, Technical, and Physical Safeguards, and 
Notification Procedure. VA is republishing the system of records notice 
in its entirety.
    The System Number is being updated from 23VA10NB3 to 23VA10 to 
reflect the current VHA organizational routing symbol.
    The System Location and System Manager are being amended to replace 
``VA Chief Business Office Purchased Care (CBOPC), Denver, Colorado'' 
with ``VHA Office of Finance, Payment Operations, Washington, DC.''
    The following Routine Uses were updated for clarification purposes:
    1. Routine Use number 10 is being amended to state: ``To: (a) a 
Federal agency or a health care provider when VA refers a patient for 
medical and other health services, or authorizes a patient to obtain 
such services and the information is needed by the Federal agency or 
health care provider to perform the services; or (b) a Federal agency 
or a health care provider under the provisions of 38 U.S.C. 513, 7409, 
8111, or 8153, when treatment is rendered by VA under the terms of such 
contract or agreement or the issuance of an authorization, and the 
information is needed for purposes of medical treatment or follow-up, 
determination of eligibility for benefits, or recovery by VA of the 
costs of the treatment.''
    2. Routine Use number 26 is being amended to state: ``To survey 
teams of the Joint Commission on Accreditation of Healthcare 
Organizations, College of American Pathologists, American Association 
of Blood Banks, and similar national accreditation agencies or boards 
with which VA has a contract or agreement to conduct such reviews, as 
relevant and necessary for the purpose of program review or the seeking 
of accreditation or certification.''
    3. Routine Use number 32 is added to state, ``To another Federal 
agency or Federal entity, when VA determines that information from this 
system of records is reasonably necessary to assist the recipient 
agency or entity in (a) responding to a suspected or confirmed breach 
or (b) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.''
    4. Routine Use number 33 is added to state, ``To the Federal Labor 
Relations Authority in connection with the investigation and resolution 
of allegations of unfair labor practices, the resolution of exceptions 
to arbitration awards when a question of material fact is raised, 
matters before the Federal Service Impasses Panel, and the 
investigation of representation petitions and the conduct or 
supervision of representation elections.''
    The Policies and Practices for Storage of Records is being updated 
to include that backup data is stored in a web based cloud storage 
system. This section will replace CBOPC with VHA Office of Finance, 
Payment Operations.
    Policies and Practices for Retention and Disposal of Records is 
being updated to remove, ``Paper and electronic documents at the 
authorizing health care facility related to authorizing the Non-VA Care 
(fee) and the services authorized, billed, and paid for are maintained 
in ``Patient Medical Records--VA'' (24VA10P2). These records are 
retained at health care facilities for a minimum of 3 years after the 
last episode of care. After the third year of inactivity the paper 
records are transferred to a records facility for 72 more years of 
storage. Automated storage media, imaged Non-VA Care (fee) claims, and 
other paper documents that are included in this system of records and 
not maintained in ``Patient Medical Records--VA'' (24VA10P2) are 
retained and disposed of in accordance with disposition authority 
approved by the Archivist of the United States. Paper records that are 
imaged for viewing electronically are destroyed after they have been 
scanned and the electronic copy is determined to be an accurate and 
complete copy of the paper record imaged.'' This section will now state 
that ``Records in this system are retained and disposed of in 
accordance with the schedule approved by the Archivist of the United 
States, Records Control Schedule 10-1 items 6000.9''.
    The Administrative, Technical, and Physical Safeguards section is 
being updated to include number 7, which states ``VA Enterprise Cloud 
data storage conforms to security protocols as stipulated in VA 
Directives 6500 and 6517. Access control standards are stipulated in 
specific agreements with Cloud vendors to restrict and monitor 
access''.
    The Notification Procedure Section is being modified to state 
``Individuals who wish to be notified if a record in this system of 
records pertains to them should submit the request following the 
procedures described in ``Record Access Procedures,'' above.''

Signing Authority

    The Senior Agency Official for Privacy, or designee, approved this 
document and authorized the undersigned to sign and submit the document 
to the Office of the Federal Register for publication electronically as 
an official document of the Department of Veterans Affairs. Eddie Pool, 
Deputy Chief Information Officer, Connectivity and Collaboration 
Services, Performing the Delegable Duties of the Assistant Secretary 
for Information and Technology and Chief Information Officer, approved 
this document on June 9, 2025 for publication.

    Dated: August 13, 2025.
Saurav Devkota,
Government Information Specialist, VA Privacy Service, Office of 
Compliance, Risk and Remediation, Office of Information and Technology, 
Department of Veterans Affairs.

SYSTEM NAME AND NUMBER:
    ``Non-VA Care (Fee) Records-VA'' (23VA10).

[[Page 39487]]

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Paper and electronic records, including electronic images of Non-VA 
Care (fee) claims are maintained at the authorizing VA health care 
facility; the VA Financial Services Center (FSC), Austin, Texas; Austin 
Information Technology Center (AITC), Austin, Texas; and Federal record 
centers. Information is also stored in automated storage media records 
that are maintained at the authorizing Department of Veterans Affairs 
(VA) medical facility; Veterans Health Administration (VHA) Office of 
Finance, Payment Operations, Washington, DC, VA Headquarters, 
Washington, DC; VA Allocation Resource Center (ARC), Braintree, 
Massachusetts; VA Office of Information Field Offices (OIFO). Address 
locations for VA facilities are listed in VA Appendix 1 of the biennial 
Privacy Act Issuances publication.

SYSTEM MANAGER(S):
    Executive Director, VHA Office of Finance, Payment Operations, 
<a href="/cdn-cgi/l/email-protection#8fd9c7cebebfbbe9e6e1eee1eceae9fde0e1fbe0e9e9e6eceafcfbeee9e9cff9eea1e8e0f9"><span class="__cf_email__" data-cfemail="24726c65151410424d4a454a474142564b4a504b42424d474157504542426452450a434b52">[email&#160;protected]</span></a>, Department of Veterans Affairs, 
810 Vermont Avenue NW, Washington, DC 20420.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    5 U.S.C. 301; 26 U.S.C. 61; and 38 U.S.C. 31, 109, 111, 501, 1151 
1703, 1705, 1710, 1712, 1717, 1720, 1721, 1724, 1725, 1727, 1728,1741-
1743, 1781, 1786, 1787, 3102, 5701(b)(6), 5701(g)(2), 5701(g)(4), 
5701(c)(1), 5724, 7105, 7332, and 8131-8137. 38 CFR 2.6 and 45 CFR part 
160 and 164. 44 U.S.C.; 45 U.S.C.; and Veterans Access, Choice, and 
Accountability Act of 2014.

PURPOSE(S) OF THE SYSTEM:
    Records may be used to establish, determine, and monitor 
eligibility to receive VA benefits and for authorizing and paying non-
VA health care services furnished to veterans and beneficiaries. Other 
uses of this information include reporting health care provider 
earnings to the Internal Revenue Service; for third party liability 
issues, including preparing responses to inquiries; performing 
statistical analyses for use in managerial activities, including 
resource allocation and planning; processing and adjudicating 
administrative benefit claims by Veterans Benefits Administration (VBA) 
Regional Office staff; conducting audits, reviews, and investigations 
by staff of the VA medical facility, Veterans Integrated Service 
Network (VISN) Offices, VA FSC, VA Headquarters, and VA's Office of 
Inspector General; in the conduct of law enforcement investigations; 
and in the performance of quality assurance audits, reviews, and 
investigations.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    1. Veterans who seek health care services under 38 U.S.C. Ch. 17.
    2. Beneficiaries of other Federal agencies' authorized VA medical 
services.
    3. Pensioned members of allied forces seeking health care services 
under 38 U.S.C. 109.
    4. Health care providers treating individuals who receive care 
under 38 U.S.C. Ch. 1 and 17.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Records maintained in this system include application, eligibility, 
and claim information regarding payment determination for medical 
services provided to VA beneficiaries by non-VA health care 
institutions and providers. Application and eligibility data may 
include personal information of the claimant (e.g., name, address, 
Social Security number, date of birth, date of death, VA claim number, 
other health insurance data); description of VA adjudicated compensable 
or non-compensable medical conditions; and military service data (e.g., 
dates, branch and character of service, medical information). Claim 
data in this system may include information needed to properly consider 
claims for payment such as an Explanation of Benefits; description of 
the medical conditions treated and services provided; authorization and 
treatment dates; amounts claimed for health care services; health 
records, including films; and payment information (e.g., invoice 
number, account number, date of payment, payment amount, check number, 
payee identifiers). Additional information may include the health care 
provider's name, address, and taxpayer identification number; 
correspondence concerning individuals and documents pertaining to 
claims for medical services; reasons for denial of payment; and 
appellate determinations.

RECORD SOURCE CATEGORIES:
    The veteran or other VA beneficiary, family members, or accredited 
representatives, and other third parties; military service departments; 
private medical facilities and health care professionals; electronic 
trading partners; other Federal agencies; VHA facilities and automated 
systems; VBA facilities and automated systems; VA FSC facility and 
automated systems; and deployment status and availability.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    To the extent that records contained in the system include 
information protected by the Health Insurance Portability and 
Accountability Act Privacy Rule and 38 U.S.C. 7332, that information 
cannot be disclosed under a routine use unless there is also specific 
statutory authority in both provisions.
    1. To a Federal, state, local, territorial, tribal, or foreign law 
enforcement authority or other appropriate entity charged with the 
responsibility of investigating or prosecuting a violation or potential 
violation of law, whether civil, criminal, or regulatory in nature, or 
charged with enforcing or implementing such law, provided that the 
disclosure is limited to information that, either alone or in 
conjunction with other information, indicates such a violation or 
potential violation. The disclosure of the names and addresses of 
veterans and their dependents from VA records under this routine use 
must also comply with the provisions of 38 U.S.C. 5701(f).
    2. To a Federal, state, or local governmental agency, maintaining 
civil, criminal, or other relevant information, such as current 
licenses, registration or certification, if necessary, to obtain 
information relevant to an agency decision concerning the hiring or 
retention of an employee, the use of an individual as a consultant, 
attending or to provide non-VA care (fee), the issuance of a security 
clearance, the letting of a contract, or the issuance of a license, 
grant, or other health, educational, or welfare benefits. Any 
information in this system also may be disclosed to any of the above-
listed governmental organizations as part of a series of ongoing 
computer matches to determine if VA health care practitioners and 
private practitioners VA uses VA hold current, unrestricted licenses, 
or are currently registered in a state, and are board certified in 
their specialty, if any.
    3. To a Federal agency, except the United States Postal Service, or 
to the District of Columbia government, in response to its request, in 
connection with that agency's decision on the hiring, transfer, or 
retention of an employee, the issuance of a security clearance, the 
letting of a contract, or the issuance of a license, grant, or other 
benefit by that agency.
    4. To the Department of the Treasury to facilitate payments to 
physicians, clinics, and pharmacies for

[[Page 39488]]

reimbursement of services rendered or to veterans for reimbursement of 
authorized expenses, as well as to collect, by set off or otherwise, 
debts owed the United States.
    5. To a Member of Congress or staff acting upon the Member's behalf 
when the Member or staff requests the information on behalf of, and at 
the request of, the individual who is the subject of the record.
    6. To the National Archives and Records Administration (NARA) in 
records management inspections conducted under 44 U.S.C. 2904, 2906, or 
other functions authorized by laws and policies governing NARA 
operations and VA records management responsibilities.
    7. To a Federal agency, a state or local government licensing 
board, the Federation of State Medical Boards, or a similar non-
governmental entity that maintains records concerning individuals' 
employment histories or concerning the issuance, retention, or 
revocation of licenses, certifications, or registration necessary to 
practice an occupation, profession, or specialty, to inform such non-
governmental entities about the health care practices of a terminated, 
resigned, or retired health care employee whose professional health 
care activity so significantly failed to conform to generally accepted 
standards of professional medical practice as to raise reasonable 
concern for the health and safety of patients in the private sector or 
from another Federal agency. These records may also be disclosed as 
part of an ongoing computer matching program to accomplish these 
purposes.
    8. To the National Practitioner Data Bank at the time of hiring or 
clinical privileging/re-privileging of health care practitioners, and 
other times as VA deems necessary, in order for VA to obtain 
information relevant to a Department decision concerning the hiring, 
privileging/re-privileging, retention, or termination of the applicant 
or employee.
    9. To the National Practitioner Data Bank or a state licensing 
board in the state in which a practitioner is licensed, in which the VA 
facility is located, or in which an act or omission occurred upon which 
a medical malpractice claim was based when VA reports information 
concerning:
    (a) Any payment for the benefit of a physician, dentist, or other 
licensed health care practitioner that was made as the result of a 
settlement or judgment of a claim of medical malpractice, if an 
appropriate determination is made in accordance with Department policy 
that payment was related to substandard care, professional 
incompetence, or professional misconduct on the part of the individual;
    (b) A final decision that relates to possible incompetence or 
improper professional conduct that adversely affects the clinical 
privileges of a physician or dentist for a period longer than 30 days; 
or
    (c) The acceptance of the surrender of clinical privileges or any 
restriction of such privileges by a physician or dentist, either while 
under investigation by the health care entity relating to possible 
incompetence or improper professional conduct, or in return for not 
conducting such an investigation or proceeding. These records may also 
be disclosed as part of a computer matching program to accomplish these 
purposes.
    10. To:
    (a) a Federal agency or a health care provider when VA refers a 
patient for medical and other health services, or authorizes a patient 
to obtain such services and the information is needed by the Federal 
agency or health care provider to perform the services; or
    (b) a Federal agency or a health care provider under the provisions 
of 38 U.S.C. 513, 7409, 8111, or 8153, when VA renders treatment under 
the terms of such contract or agreement or the issuance of an 
authorization and the information is needed for purposes of medical 
treatment or follow-up, determination of eligibility for benefits, or 
recovery by VA of the costs of the treatment.
    11. To the Department of the Treasury to report calendar year 
earnings of $600 or more for income tax reporting purposes.
    12. To another Federal agency for its use in identifying potential 
duplicate payments for health care services VA and that agency paid 
for. Information disclosed may include the name, date of birth, Social 
Security number of a veteran or beneficiary, and any other identifying 
and claim information as is reasonably necessary, such as provider 
identification, description of services furnished, and VA payment 
amount, may be disclosed This information may also be disclosed as part 
of a computer matching agreement to accomplish this purpose.
    13. To contractors, grantees, experts, consultants, students, and 
others performing or working on a contract, service, grant, cooperative 
agreement, or other assignment for VA, when reasonably necessary to 
accomplish an agency function related to the records.
    14. To attorneys, insurance companies, employers, third parties 
liable or potentially liable under health plan contracts, and courts, 
boards, or commissions as relevant and necessary to aid VA in the 
preparation, presentation, and prosecution of claims authorized by law.
    15. To the Department of Justice or in a proceeding before a court, 
adjudicative body, or other administrative body before which VA is 
authorized to appear, when any of the following is a party to such 
proceedings or has an interest in such proceedings, and VA determines 
that the use of such records is relevant and necessary to the 
proceedings:
    (a) VA or any component thereof;
    (b) Any VA employee in their official capacity;
    (c) Any VA employee in their individual capacity where the 
Department of Justice has agreed to represent the employee; or
    (d) The United States, where VA determines that litigation is 
likely to affect the agency or any of its components.
    16. Any information in this system may be disclosed in connection 
with any proceeding for the collection of an amount owed to the United 
States by virtue of a person's participation in any benefit program VHA 
administered when in the judgment of the Secretary, or an official 
generally delegated such authority under standard agency delegation of 
authority rules (38 CFR 2.6), such disclosure is deemed necessary and 
proper, in accordance with 38 U.S.C. 5701(b)(6).
    17. To a consumer reporting agency for the purpose of locating the 
individual, obtaining a consumer report to determine the ability of the 
individual to repay an indebtedness to the United States, or assisting 
in the collection of such indebtedness, provided that the provisions of 
38 U.S.C. 5701(g)(2) and (g)(4) have been met, provided that the 
disclosure is limited to information that is reasonably necessary to 
identify such individual or concerning that individual's indebtedness 
to the United States by virtue of the person's participation in a 
benefits program the Department administered.
    18. In response to an inquiry about a named individual from a 
member of the general public, information from this system may be 
disclosed to report the amount of VA monetary benefits the individual 
is receiving. This disclosure is consistent with 38 U.S.C. 5701(c)(1).
    19. To a Federal agency for the purpose of conducting research and 
data analysis to perform a statutory purpose of that Federal agency 
upon the written request of that agency.

[[Page 39489]]

    20. To accredited service organizations, VA-approved claim agents, 
and attorneys acting under a declaration of representation, upon 
request, so that these individuals can aid claimants in the 
preparation, presentation, and prosecution of claims under the laws VA 
administers, provided that the disclosure is limited to information 
relevant to a claim, such as the name, address, the basis and nature of 
a claim, amount of benefit payment information, medical information, 
and military service and active duty separation information.
    21. To a fiduciary or guardian ad litem in relation to his or her 
representation of a claimant in any legal proceeding as relevant and 
necessary to fulfill the duties of the fiduciary or guardian ad litem.
    22. To the Department of the Treasury as a report of income under 
26 U.S.C. 61(a)(12), provided that the disclosure is limited to 
information concerning an individual's indebtedness that is waived 
under 38 U.S.C. 3102, compromised under 4 CFR part 103, otherwise 
forgiven, or for which the applicable statute of limitations for 
enforcing collection has expired.
    23. To the Department of the Treasury for the collection of title 
38 benefit overpayments, overdue indebtedness, or costs of services 
provided to an individual not entitled to such services, by the 
withholding of all or a portion of the person's Federal income tax 
refund, provided that the disclosure is limited to information 
concerning an individual's indebtedness by virtue of a person's 
participation in a benefits program VA administered.
    24. To the Social Security Administration and the Department of 
Health and Human Services for the purpose of conducting computer 
matches to obtain information to validate the Social Security numbers 
maintained in VA records.
    25. The name and address of any health care provider in this system 
of records who has received payment for claimed services on behalf of a 
veteran or beneficiary may be disclosed in response to an inquiry from 
a member of the general public.
    26. To survey teams of the Joint Commission on Accreditation of 
Healthcare Organizations, College of American Pathologists, American 
Association of Blood Banks, and similar national accreditation agencies 
or boards with which VA has a contract or agreement to conduct such 
reviews, as relevant and necessary for the purpose of program review or 
the seeking of accreditation or certification.
    27. To a health care provider seeking reimbursement for claimed 
medical services to facilitate billing processes, verify eligibility 
for requested health care services, and provide payment information for 
claimed services, provided that information disclosed is eligibility 
and claim information. Eligibility or entitlement information disclosed 
may include the name, Social Security number, effective dates of 
eligibility, reasons for any period of ineligibility, and evidence of 
other health insurance information of the named individual. Claim 
information disclosed may include payment information such as payment 
identification number, date of payment, date of service, amount billed, 
amount paid, name of payee, and reasons for non-payment.
    28. To other Federal agencies for the purpose of conducting 
computer matches to obtain information to determine or verify 
eligibility of veterans receiving VA benefits or medical care under 
title 38.
    29. To Federal agencies and government-wide third-party insurers 
responsible for payment of the cost of medical care for the identified 
patients, to seek recovery of the medical care costs. These records may 
also be disclosed as part of a computer matching program to accomplish 
this purpose.
    30. To other Federal agencies to assist such agencies in preventing 
and detecting possible fraud or abuse by individuals in their 
operations and programs.
    31. To appropriate agencies, entities, and persons when (a) VA 
suspects or has confirmed that there has been a breach of the system of 
records; (b) VA has determined that as a result of the suspected or 
confirmed breach there is a risk to individuals, VA (including its 
information systems, programs, and operations), the Federal Government, 
or national security; and (c) the disclosure made to such agencies, 
entities, and persons is reasonably necessary to assist in connection 
with VA efforts to respond to the suspected or confirmed breach or to 
prevent, minimize, or remedy such harm.
    32. To another Federal agency or Federal entity, when VA determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (a) responding to a suspected 
or confirmed breach or (b) preventing, minimizing, or remedying the 
risk of harm to individuals, the recipient agency or entity (including 
its information systems, programs, and operations), the Federal 
Government, or national security, resulting from a suspected or 
confirmed breach.
    33. To the Federal Labor Relations Authority in connection with the 
investigation and resolution of allegations of unfair labor practices, 
the resolution of exceptions to arbitration awards when a question of 
material fact is raised, matters before the Federal Service Impasses 
Panel, and the investigation of representation petitions and the 
conduct or supervision of representation elections.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are maintained as paper documents or stored electronically 
on magnetic discs, magnetic tape, and optical or digital imaging at the 
authorizing VA health care facility. Reports and information on 
automated storage media (e.g., microfilm, microfiche, magnetic tape and 
disks, and digital and laser optical media) is stored at the 
authorizing VA health care facility, VA Headquarters, ARC, OIFOs, FSC, 
AITC, and VISN offices.
    Information pertaining to electronic claims submitted to VA for 
payment consideration may be stored at the authorizing VA health care 
facility, FSC, AITC, and at VHA Office of Finance, Payment Operations. 
Records maintained at VHA Office of Finance, Payment Operations are 
stored electronically. Backup data is stored in a web based cloud 
storage systems.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Paper and electronic records pertaining to the individual may be 
retrieved by the name or Social Security number of the record subject. 
Records pertaining to the health care provider are retrieved by the 
name or Social Security and taxpayer identification number of the non-
VA health care institution or provider. Records at ARC are retrieved 
only by Social Security number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records in this system are retained and disposed of in accordance 
with the schedule the Archivist of the United States approved, Records 
Control Schedule 10-1 items 6000.9.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    1. VA will maintain the data in compliance with applicable VA 
security policy directives that specify the standards that will be 
applied to protect sensitive personal information. Contractors and 
their subcontractors who access the data are required to

[[Page 39490]]

maintain the same level of security as VA staff. Working spaces and 
record storage areas in VA facilities are restricted to VA employees. 
Generally, file areas are locked after normal duty hours and security 
personnel protect health care facilities from outside access. Access to 
the records is restricted to VA employees who have a need for the 
information in the performance of their official duties. Employee 
records or records of public figures or otherwise sensitive records are 
generally stored in separate locked files.
    2. Electronic data security complies with applicable Federal 
Information Processing Standards issued by the National Institute of 
Standards and Technology. Access to computer rooms at health care 
facilities is generally limited by appropriate locking devices and 
restricted to authorized VA employees and vendor personnel. Peripheral 
devices are generally placed in secure areas (areas that are locked or 
have limited access) or are otherwise protected. Access to file 
information is controlled at two levels. The system recognizes 
authorized employees by a series of individually unique passwords/codes 
that the employee must change periodically, and role-based access 
limits employees to only that information in the file which is needed 
in the performance of their official duties. Information that is 
downloaded and maintained on personal computers is afforded similar 
storage and access protections as the data that is maintained in the 
original files. Remote access to file information by staff of OIFOs, 
and access by Office of Inspector General (OIG) staff conducting an 
audit or investigation at the health care facility or an OIG office 
location remote from the health care facility is controlled in the same 
manner.
    3. Access to FSC and AITC is generally restricted to each Center's 
employees, custodial personnel, and security personnel. Access to 
computer rooms is restricted to authorized operational personnel 
through electronic locking devices. All other persons gaining access to 
computer rooms are escorted. Authorized VA employees at remote 
locations, including VA health care facilities, OIFOs, VA Headquarters, 
VISN offices, and OIG Headquarters and field staff, may access 
information stored in the computer. Access is controlled by 
individually unique passwords/codes that the employee must change 
periodically.
    4. Access to records maintained at VA Headquarters, ARC, OIFOs, and 
VISN offices is restricted to VA employees who have a need for the 
information in the performance of their official duties. Access to 
information stored on automated storage media is controlled by 
individually unique passwords/codes that the employee must change 
periodically. Authorized VA employees at remote locations including VA 
health care facilities may access information stored in the computer. 
Access is controlled by individually unique passwords/codes. Records 
are maintained in manned rooms during non-working hours. Security 
personnel protect facilities from outside access during working hours.
    5. Information downloaded and maintained by the OIG Headquarters 
and field offices on automated storage media is secured in storage 
areas or facilities to which only OIG staff members have access. Paper 
documents are similarly secured. Access to paper documents and 
information on automated storage media is limited to OIG employees who 
have a need for the information in the performance of their official 
duties. Access to information stored on automated storage media is 
controlled by individually unique passwords/codes.
    6. Access to records maintained at VHA Office of Finance, Payment 
Operations is restricted to VA employees who have a need for the 
information in the performance of their official duties. Access to 
information stored on automated storage media is controlled by 
individually unique passwords/codes that the employee must change 
periodically. Authorized VA employees at remote locations including VA 
health care facilities may access and print information stored in the 
computer. Access is controlled by individually assigned unique 
passwords/codes. Records are maintained in a secured, pass card 
protected and alarmed room. Security personnel protect the facilities 
from outside access during non-working hours.
    7. VA Enterprise Cloud data storage conforms to security protocols 
as stipulated in VA Directives 6500, VA Cybersecurity Program, and 
6517, Risk Management Framework for Cloud Computing Services. Access 
control standards are stipulated in specific agreements with Cloud 
vendors to restrict and monitor access.

RECORD ACCESS PROCEDURE:
    Individuals seeking information on the existence and content of 
records in this system pertaining to them should contact the system 
manager in writing as indicated above. A request for access to records 
must contain the requester's full name, address and telephone number, 
be signed by the requester, and describe the records sought in 
sufficient detail to enable VA personnel to locate them with a 
reasonable amount of effort.

CONTESTING RECORD PROCEDURES:
    Individuals seeking to contest or amend records in this system 
pertaining to them should contact the system manager in writing as 
indicated above. A request to contest or amend records must state 
clearly and concisely what record is being contested, the reasons for 
contesting it, and the proposed amendment to the record.

NOTIFICATION PROCEDURE:
    Individuals who wish to be notified if a record in this system of 
records pertains to them should submit the request following the 
procedures described in ``Record Access Procedures,'' above.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    80 FR 45590 (July 30, 2015); 74 FR 44905 (August 31, 2009); and 67 
FR 61205 (September 27, 2002).

[FR Doc. 2025-15590 Filed 8-14-25; 8:45 am]
BILLING CODE 8320-01-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>
View on FederalRegister.gov →Plain-text source
Indexed from Federal Register on August 15, 2025.

This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.