Quiero saber acerca de...

46094

Federal Register / Vol. 86, No. 156 / Tuesday, August 17, 2021 / Notices
khammond on DSKJM1Z7X2PROD with NOTICES

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL
SAFEGUARDS:

1. Data transmissions between VA
health care facilities, the Health Eligibility Center HEC, the AITC, 3M
Cogent, Inc. databases are accomplished using the Departments secure wide area network. The software programs automatically flag records or events for transmission based upon functional requirements. Server jobs at each facility run continuously to check for data to be transmitted and/or incoming data which needs to be parsed to files on the receiving end. All messages containing data transmissions include header information that is used for validation purposes. The recipients of the messages are controlled and/or assigned to the mail group based on their role or position. Consistency checks in the software are used to validate the transmission and electronic acknowledgment messages are returned to the sending application. VAs Office of Cyber Security has oversight responsibility for planning and implementing computer security.
2. Working spaces and record storage areas at HEC, Austin Information Technology Center, and the Veteran Health Identification Card VHIC
processing locations are secured during all business hours, as well as during non-business hours. All entrance doors require an electronic pass card, for entry when unlocked, and entry doors are locked outside normal business hours.
Visitors to the HEC are required to present identification, sign-in at a specified location, and are issued a pass card that restricts access to nonsensitive areas. Visitors to the HEC are escorted by staff through restricted areas. At the end of the visit, visitors are required to turn in their badge. The building is equipped with an intrusion alarm system, which is activated during non-business hours. This alarm system is monitored by a private security service vendor. The office space occupied by employees with access to Veteran records is secured with an electronic locking system, which requires a card for entry and exit of that office space. Access to the AITC is generally restricted to AITC staff, VA
Central Office employees, custodial personnel, Federal Protective Service and authorized operational personnel through electronic locking devices. All other persons gaining access to the computer rooms are escorted.
3. Access to the VHIC contractor secured work areas is also controlled by electronic entry devices, which require a card and manual input for entry and exit of the production space. The VHIC
contractors building is also equipped
VerDate Sep<11>2014

17:08 Aug 16, 2021

Jkt 253001

with an intrusion alarm system and a security service vendor monitors the system.
4. Contract employees are required to sign a Business Associates Agreement as required by the Health Insurance Portability and Accountability Act HIPAA Privacy Rule as acknowledgement of mandatory provisions regarding the use and disclosure of protected health information. Employee and contractor access is deactivated when no longer required for official duties or upon termination of employment. Recurring monitors are in place to ensure compliance with nationally and locally established security measures.
5. Beneficiarys enrollment and eligibility information is transmitted from the Enrollment and Eligibility information system to VA health care facilities over the Departments secure computerized electronic communications system.
6. Only specific key staff have authorized access to the computer room.
Programmer access to the information systems is restricted only to staff whose official duties require that level of access.
7. On-line data reside on magnetic media in the HEC and AITC computer rooms that are highly secured. Backup media are stored in the computer room within the same building and only information system staff and designated management staff have access to the computer room. On a weekly basis, backup media are stored in off-site storage by a media storage vendor. The vendor picks up and returns the media in a locked storage container; vendor personnel do not have key access to the locked container. The AITC has established a backup plan for the Enrollment system as part of a required Certification and Accreditation of the information system.
8. Any sensitive information that may be downloaded to personal computers or printed to hard copy format is provided the same level of security as the electronic records. All paper documents and informal notations containing sensitive data are shredded prior to disposal. All magnetic media primary computer system and personal computer disks are degaussed prior to disposal or release off-site for repair.
The VHIC contractor destroys all Veteran identification data 30 days after the VHIC card has been mailed to the Veteran in accordance with contractual requirements.
9. All new HEC employees receive initial information security and privacy training; refresher training is provided to all employees on an annual basis. The
PO 00000

Frm 00143

Fmt 4703

Sfmt 4703

HECs Information Security Officer performs an annual information security audit and periodic reviews to ensure security of the system. This annual audit includes the primary computer information system, the telecommunication system, and local area networks. Additionally, the Internal Revenue Service performs periodic on-site inspections to ensure the appropriate level of security is maintained for Federal tax data.
10. Identification codes and codes used to access Enrollment and Eligibility information systems and records systems, as well as security profiles and possible security violations, are maintained on magnetic media in a secure environment at the Center. For contingency purposes, database backups on removable magnetic media are stored off-site by a licensed and bonded media storage vendor.
11. Contractors, subcontractors, and other users of the Enrollment and Eligibility Records systems will adhere to the same safeguards and security requirements to which HEC staff must comply.
ACCESS:

1. In accordance with national and locally established data security procedures, access to enrollment information databases Administrative Data Repository is controlled by unique entry codes access and verification codes. The users verification code is automatically set to be changed every 90
days. User access to data is controlled by role-based access as determined necessary by supervisory and information security staff as well as by management of option menus available to the employee. Determination of such access is based upon the role or position of the employee and functionality necessary to perform the employees assigned duties.
2. Employees are required to have completed VA Privacy and Information Security Awareness and Rules of Behavior VA 10176 training, and Privacy and HIPAA Focused Training VA 10203 to request and be granted access to the Enrollment Systems. There is also a user agreement notification that all users must attest to, acknowledging understanding of privacy and confidentiality requirements before gaining access to the system. In addition, all employees receive annual privacy awareness and information security training. Access to electronic records is deactivated when no longer required for official duties. Recurring monitors are in place to ensure compliance with nationally and locally established security measures.

E:FRFM17AUN1.SGM

17AUN1