Quiero saber acerca de...

Federal Register / Vol. 86, No. 14 / Monday, January 25, 2021 / Notices only in accordance with a records disposition schedule approved by the Archivist of the United States, including General Records Schedules.

jbell on DSKJLSW7X2PROD with NOTICES

PHYSICAL, PROCEDURAL AND ADMINISTRATIVE
SAFEGUARDS:

1. This list of safeguards furnished in this System of Record is not an exclusive list of measures that have been, or will be taken to protect individually-identifiable information.
The Health Insurance Portability and Accountability Act HIPAA provides guidelines for protecting health information that will be followed by adopting health care industry best practices and the reporting of breaches in order to provide adequate safeguards.
Further, VA policy directives that specify the standards that will be applied to protect health information will be reviewed by VA staff and contractors through mandatory data privacy and security training.
2. Access to data servers and storage areas is restricted to authorized VA
employee or contract staffs who are cleared to work by the Office of Operations, Security, and Preparedness.
Access to the OEI data servers used for storage is restricted and protected by access codes. Health information file areas are locked after normal duty hours. VA facilities are protected from outside access by the Federal Protective Service and/or other security personnel.
3. Access to health information provided by the Veterans Health Administration VHA pursuant to a Business Associate Agreement BAA is restricted to those OEI employees and contractors who have a business need for the information in the performance of their official duties. As a general rule, full sets of health care information are not provided for use unless authorized by the System Manager. File extracts provided for specific official uses will be limited to contain only the information fields needed for the analysis. Data used for analyses will have individual identifying characteristics removed whenever possible.
4. Security complies with applicable Federal Information Processing Standards FIPS issued by the National Institute of Standards and Technology NIST. Health and non-health information files containing unique identifiers such as social security numbers are encrypted to NIST-verified FIPS 1402 standard or higher for storage, transport, or transmission. Any health information files transmitted on laptops, workstations, data storage devices or media are encrypted. Record level files are kept encrypted at all times
VerDate Sep<11>2014

18:31 Jan 22, 2021

Jkt 253001

except when data is in immediate use.
These methods are applied in accordance with HIPAA regulations 45
CFR 164.514 and VA Handbook 6500, Information Security Handbook.
5. Contractors and their subcontractors are required to maintain the same level of security as VA staff for health care information that has been disclosed to them. Any data disclosed to a contractor, or use of a subcontractor to perform authorized analyses, requires use of Data Use Agreements DUAs or Memorandum of Understanding MOU, Non-Disclosure Statements and Business Associates Agreement BAA
to protect health information. Unless explicitly authorized in writing by the VA, sensitive or protected data made available to the contractor and subcontractors shall not be divulged or made known in any manner to any person. Other Federal or state agencies requesting health care information need to provide agreements to protect data.
6. The OEI work area is accessed for business-only needs. A limited amount of data is stored in a combinationprotected safe which is secured inside a limited access room. Direct access to the safe is controlled by select individuals who possess background security clearances. Only a few employees with strict business needs or need-to-know access and completed background checks will ever handle the data once it is removed from the safe for data match purposes.
7. Data matches, analysis, and storage are conducted primarily on secured servers located in Austin, TX, which are housed in a restricted access network area with appropriate locking devices.
Access to such records are controlled by three measures: The application of a VA
security identification card coded with special permissions network areas key pad; the proper input of a series of individually-unique passwords/codes by a recognized user; and the entrance of those select individuals for the performance of their official information technology-related duties.
8. Access to Automated Data Processing ADP files, record level files and related statistical software code is controlled by using an individuallyunique pin number or password entered in combination with a Personally Identifiable Variable PIV card or other information.
9. Access to VA facilities where identification codes, passwords, security profiles and information on possible security violations are maintained is controlled at all hours by the Federal Protective Service, VA, or other security personnel and security access control devices.

PO 00000

Frm 00134

Fmt 4703

Sfmt 4703

6995

10. Public use files prepared for purposes of research and analysis are purged of personal identifiers.
11. Paper records, when they exist, are maintained in a locked room at the Washington National Records Center or at designated locations identified in this System Notice. The Federal Protective Service protects paper records from unauthorized access.
SYSTEM MANAGERS AND ADDRESSES:

OEIs System Manager is Kshemendra Paul, Executive Director, Office of Enterprise Integration, Data Governance and Analytics 008B1, VA Central Office, 810 Vermont Ave. NW, Washington, DC 20420, 2024611052, Kshemendra.Paul@va.gov.
RECORD ACCESS PROCEDURE:

An individual who wants to determine whether the Director, National Center for Veterans Analysis and Statistics 008B1 is maintaining a record under the individuals name or other personal identifier, or wants to determine the content of such records must submit a written request to the Director, National Center for Veterans Analysis and Statistics, Office of Enterprise Integration, 008B1, VA
Central Office, 810 Vermont Ave. NW, Washington, DC 20420. The individual seeking this information must prove his or her identity and provide the name of the survey in question, approximate date of the survey, social security number, full name, and date of birth, telephone number, and return address.
All inquiries must reasonably identify the health care information involved and the approximate date that medical care was provided.
CONTESTING RECORD PROCEDURES:

See Records Access Procedures.
NOTIFICATION PROCEDURE:

A Veteran who wishes to determine whether a record is being maintained by the Office of Enterprise Integration under his or her name or other personal identifier or wishes to determine the contents of such records should submit a written request or apply in person to:
1 Executive Director, Office of Enterprise Integration, 008B, VA
Central Office, 810 Vermont Ave. NW, Washington, DC 20420. 2 Director, National Center for Veterans Analysis and Statistics, Office of Enterprise Integration, 008B1, VA Central Office, 810 Vermont Ave. NW, Washington, DC
20420. Inquiries should include the individuals full name and social security number.

E:FRFM25JAN1.SGM

25JAN1