Privacy Impact Assessment for the VA IT System called: Altoona Veterans Health Administration Date PIA completed: December 2, 2015 VA System Contacts: Name E-mail Phone Number Privacy Officer Therese Blocher RHIA [email protected] 814-943-8164 Information Security Officer Elaine Ray, Acting ISO [email protected] 724.285.2222 System Owner Michael Hynoski [email protected] 814-943-8164 Person Completing the Document Therese Blocher RHIA [email protected] 814-943-8164
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Privacy Impact Assessment for the VA IT System called:
Altoona Veterans Health Administration Date PIA completed:
December 2, 2015
VA System Contacts:
Name E-mail Phone Number
Privacy Officer Therese Blocher RHIA [email protected] 814-943-8164
Information Security
Officer
Elaine Ray, Acting ISO [email protected] 724.285.2222
System Owner Michael Hynoski [email protected] 814-943-8164
Person Completing the
Document
Therese Blocher RHIA [email protected] 814-943-8164
Abstract
Veterans’ Health Information Systems and Technology Architecture (VistA) is a highly integrated system
which runs administrative and clinical applications. Each Veterans Affairs (VA) medical center uses VistA
an integrated hospital information system. VistA is structured so that it can be customized in certain
specialized areas and most local medical centers have taken advantage of this flexibility. Applications within
VistA support a multitude of areas including medical imaging, supply management, decision support, medical
research, and education.
The GSS system is a group of servers, computers and associated devices that share a common
communications line on which the VHA health care facilities operate their software applications,
databases. Without the GSS, sharing data between applications, databases or other medical centers would not
be possible, thus compromising patient care. The GSS system operates in medical centers, community-based
clinics, out-reach clinics and Vet Center
Overview
The ALT-VHA System is a General Support System (GSS) in Region 4 comprised of workstations, printers,
Commercial off the Shelf and other applications based on IP addresses within the VA Altoona Healthcare. It also
includes servers, routers, hubs, switches, and firewalls that support communications to the VA Altoona Healthcare
and 5 Community Based Outpatient Clinics located in Dubois, Johnstown, State College, Indiana and Huntingdon
in Pennsylvania The system includes subsystem components such as tape drives, disk drives, uninterruptible power
supplies (UPS), network area storage (NAS) and storage access networks (SAN).
The system contains and transmits contact, personal, health, military, educational, benefits, demographic, and
financial information on approximately 25,362 unique patients, 710 employees, 399 volunteers and
contractors. The legal authority to operate the system is Title 38, United States Code, Section 7301.
VistA has been in Operations/Maintenance since 1998 and the system provides electronic health records
services for over 500,000 veterans and their eligible dependents.
VistA hardware and software is supported and managed by the Region 4 Business Systems Service Line
Health Systems Division. VistA systems software package runs is made up of over 100 software packages, all
of which are used at various locations in over 20 geographic areas called, Veterans Integrated Service
Networks (VISN's). Each package is made up of multiple software programs. Access to the system is via
workstations operating on Windows-family Operating Systems (O/S) and thin client terminals located throughout various medical centers. Microsoft Windows client workstations connect to VistA over a Windows network using terminal emulation software and the Remote Procedure Call (RPC) Broker. There is access from the Intranet to both the VAs wide area network (WAN) and to the Internet via the VA Internet Gateways. VA-approved firewalls are positioned between the Intranet and the Internet Gateways. Digital Equipment Corporation (DEC) VT and other types of terminals connect to VistA via Ethernet and terminal servers. The VistA system Kernel software provides identification and authentication, access control via menu management, and auditing of user actions. VA FileMan, VistA database management.
The VA Altoona Healthcare conducts a variety of data sharing internal and external to the Department of
Veterans Affairs. Internal sharing, discussed in greater detail in Section 4 of this Privacy Impact Assessment
(PIA), is done to ensure that Veterans and their families receive the benefits and care they have earned.
External sharing, which is discussed in greater detail in Section 5 of this PIA, is done to ensure Veterans
families receive the benefits/care they have earned and to meet federal or state reporting requirements.
The following VA System of Records Notices (SORNs) applies to ALT-VHA:
Applicants for Employment under Title 38, USC - SORN 02VA135 Individuals Serving on a Fee
Basis or Without Compensation (Consultants, Attendings, and Others or Paid Indirectly through a
Disbursement Agreement) Personnel Records – SORN 14VA05
Non-VA Fee Basis Records – SORN 23VA16
Patient Medical Records – SORN 24VA10P2
National Patient Database - SORN 24VA10P2
Community Placement Program – SORN 65VA 122
Health Care Provider Credentialing and Privileging Records – SORN 77VA10Q
Veterans Health Information Systems and Technology Architecture (VISTA) Records – SORN
79VA19; 79VA10P2
Income Verification Records – SORN 89VA19; SOR 89VA10NB
Automated Safety Incident Surveillance and Tracking System-VA – SORN 99VA13
The Revenue Program Billings and Collections Records – SORN 114VA16
Patient Advocate Tracking System (PATS) – SORN 100VA10NS10
Police and Security Records – SORN 103VA07B
Enrollment and Eligibility Records – SORN 147VA16
Section
Section 1. Characterization of the Information – GSS and VistA
The following questions are intended to define the scope of the information requested and collected as well as
the reasons for its collection as part of the program, IT system, or technology being developed.
1.1 What information is collected, used, disseminated, created, or maintained in the system?
Please check any information listed below that your system collects, uses, disseminates, creates, or maintains.
If additional SPI is collected, used, disseminated, created, or maintained, please list those in the text box
below:
Name
Social Security
Number
Date of Birth
Mother’s Maiden Name
Mailing Address
Zip Code
Phone Number(s)
Fax Number
Email Address
Emergency Contact
Information (Name, Phone
Number, etc of a different
individual)
Financial Account
Information
Health Insurance
Beneficiary Numbers
Account numbers
Certificate/License
numbers
Vehicle License Plate
Number
Internet Protocol (IP)
Address Numbers
Current Medications
Previous Medical
Records
Race/Ethnicity
Next of Kin
Guardian Information
Electronic Protected Health Information (ePHI)
Military history/service connection/non-service connected status
Service connected disabilities
Employment information Veteran dependent information Disclosure requestor information
Death certificate information Tumor PII/PHI statistics
Criminal background information Education information
Gender
1.2 What are the sources of the information in the system?
The information collected, maintained, and/or disseminated by VA Altoona Healthcare is derived from
various sources. The information may come directly from the Veteran or other programs and resources in the
Veterans Benefits Administration (VBA), VA Health Eligibility Center (HEC), Department of Defense
(DOD), VA Network Authorization Office (NAO) for non-VA care payments, and non-VA providers.
Criminal background information is obtained from National Crime Information Center (NCIC) and used to
confirm employment and/or volunteer eligibility and to assist the VA Police Service with conducting internal
investigations.
1.3 How is the information collected?
Information obtained directly from patients, employees, and/or other members of the public is collected using
paper forms (such as an enrollment form for VA health care or a 10-5345 authorization for the release of
medical records), verbally, via interviews and assessments, or electronically such as MyHealthe Vet secure
messaging.
Information from outside sources is collected in various ways. For example, military records from the
Department of Defense. Fee-based providers provide documentation of their assessment via the Computerized
Patient Records System (CPRS) or hard copy format via fax to the Fee Service staff.
1.4 What is the purpose of the information being collected, used, disseminated, created, or maintained?
Information is collected, maintained, and processed by Altoona Veterans Health Administration for the
following purposes:
To determine eligibility for health care and continuity of care
For emergency contact information in the case of medical emergency
To provide medical care
To communicate with Veterans/Patients and their families or emergency contacts
To determine legal authority for providers and health care workers to practice medicine and/or
subject matter expertise
To response to release of information requests
Third Party health insurance billing
Contact for employment eligibility/verification
1.5 How will the information be checked for accuracy?
Much of the information provided by a Veteran is presumed accurate because it is provided by the person to
whom the information pertains. Demographic data, emergency/next of kin, and financial information is
updated annually or during each clinic visit as needed. Likewise, information entered into a Veteran’s medical
record by a provider is presumed accurate.
Information is checked through the Veterans Benefits Administration (VBA) to verify eligibility for VA
benefits. Information regarding military service history is verified against Department of Defense (DOD)
military records and income information is verified via information from the Social Security Administration (SSA) and the Internal Revenue Service (IRS).
1.6 What specific legal authorities, arrangements, and agreements defined the collection of
information?
The legal authorities that defined the collection of information include the Veterans Benefits Act, Chapter 73:
Veterans Health Administration – Organization and Functions, Title 38, U.S.C. § 7301.
1.7 PRIVACY IMPACT ASSESSMENT: Characterization of the information
Follow the format below when entering your risk assessment:
Privacy Risk: The ALT-VHA collects both Personally Identifiable Information (PII) and a variety of other
Sensitive Personal Information (SPI) such as Protected Health Information (PHI). Due to the highly sensitive
nature of this information, there is a risk that an accession by an unauthorized person could result in a serious
personal, professional, or financial harm to the individual to whom the information pertains.
Mitigation: ALT-VHA System and the Veterans Health Administration (VHA) employ a variety of security
measures designed to ensure the information is not inappropriately released or disclosed. These measures
include: access control, awareness/training, audit and accountability, certification, accreditation, security
assessments, configuration management, contingency planning, identification and authentication, incident
response, maintenance, media protection, physical and environmental protection, planning, personnel
security, risk assessment, systems and services acquisition, system and communications protection, and
system/information integrity. Our facility employs all security controls in the respective high impact security
control baseline unless specific exemptions have been allowed based on the tailoring guidance provided in the
National Institute of Standards and Technology (NIST) Special Publication 800-37, VA Handbook 6500, and
other specific VA Directives.
Section 2. Uses of the Information – GSS and VistA
The following questions are intended to clearly delineate the use of information and the accuracy of the data
being used.
2.1 Describe how the information in the system will be used in support of the program’s business
purpose.
Name - Used to correctly identify the patient during appointments or clinical procedures
Social Security Number - Used as a patient identifier for clinical procedures and as a resource for
income verification with the SSA
Date of Birth – Used to identify age and confirm patient identity
Mother’s Maiden Name – Used to confirm patient identity
Phone Number – Used to contact the Veteran for various reasons, such as appointment scheduling
and other medical items
Zip Code - Used for communication, billing purposes, and to calculate travel pay
Mailing Address – Used for communication, billing purposes, and to calculate travel pay
Fax Number – Used to send forms and records to business contacts, insurance companies and health
care providers
Email address – Used for communication with patient via MyHealtheVet
Emergency contact (name, address, phone number) – Used to notify persons of the Veteran’s
choosing in the case of an emergency
Financial Account Information – Used to calculate co-payments and VA healthcare eligibility
Health Insurance Beneficiary Account Number – Used to communicate and bill third party health
care plans
Certificate/License Numbers – Used to track and verify legal authority to practice medicine and
licensure for health care workers in a particular area of expertise
Internet Protocol (IP) Address Numbers – Used for configuration and network connections and/or
network communication to allow information to be transferred from one information technology
system to another
Current medications – Used within the medical records for health care/treatment purposes
Previous Medical Records – Used for continuity of care purposes
Race/Ethnicity – Used for patient demographic information and for indicators of ethnicity-related
diseases
Next of Kin – Used to notify persons of the Veteran’s choosing in the case of an emergency,
notification of death, or decision making purposes should the patient be incapacitated
Guardian Information – Used when the patient is unable to make decisions for himself/herself
Electronic Protected Health Information (ePHI) – Used for history of health care treatment during
treatment and planning of treatment
Military history/service connection – Used to evaluate medical conditions that could be related to
location of military time served and to determine VA healthcare eligibility and treatment
Employment Information – Used to determine VA employment eligibility, Veteran contact, and
financial verification
Veteran dependent information – Used to determine benefit support and emergency contact person
Disclosure Requestor Information – Used to track and account for patient medical records released
to requestors
Death Certificate Information – Used to determine date, location, and cause of death
Tumor PII/PHI – Used to track and trend statistical data regarding cancerous diseases
Criminal Background Information – used to determine employment eligibility and to assist VA
Police investigations
Education Information – Used for demographic information for patients and as a determining factor
for VA employment in areas of expertise
Gender – Used as patient demographic identity, indicator for type of medical care or provider, and to
determine the type of medical tests required for an individual
2.2 What types of tools are used to analyze data and what type of data may be produced?
ALT-VHA utilizes statistics and analysis to create various reports, which provide a better understanding of
patient care and needs. These reports track the following:
The number of patients enrolled, provider capacity, staffing ratio, new primary care patient wait time,
etc. for Veterans enrolled into a Patient Care Aligned Team
Beneficiary travel summary/benefits
Workload and cost resources for various services, i.e., mental health, primary care, home dialysis, fee
services, etc.
Daily bed management activity
Coding averages for outpatient/inpatient encounters
Satisfaction of Healthcare Experience of Patients (SHEP) data as it pertains to customer satisfaction
regarding outpatient/inpatient services
Unique patient trends
Clinic wait times
2.3 PRIVACY IMPACT ASSESSMENT: Use of the information
Several controls are in place to ensure data is used and protected in accordance with legal requirements, VA
policies, and VA’s stated purpose for using the data. These controls include mandatory training for all
employees, volunteers, and contractors; monitoring inappropriate access through security logs; review of staff
menu and security keys; monitoring functional categories for minimum access, etc.
Data such as wait times, provider case load, and VA employee time/attendance is use to perform daily
operational tracking and trending.
Section 3. Retention of Information – GSS and VistA
The following questions are intended to outline how long information will be retained after the initial
collection.
3.1 What information is retained?
Name
Social Security Number
Date of Birth
Mother’s Maiden Name
Mailing Address/Zip Code
Fax Number Email
Emergency Contact (name, address, phone number)
Health Insurance Beneficiary Account Number Certificate/License Numbers
Internet Protocol (IP) Address Numbers
Current medications
Previous Medical Records
Race/Ethnicity
Next of Kin Information (name, address, phone number)
Guardian Information
Electronic Protected Health Information (ePHI)
Military History/service connection
Employment
Veteran Dependent Information
Disclosure Requestor Information
Death Certificate Information
Tumor PII/PHI
Criminal Background Information
Education Information
Gender
Financial Account
Zip Code
Phone Number
3.2 How long is information retained?
VA Altoona Healthcare will retain the patient’s health records for 75 years after the last episode of medical
care as directed by the Department of Veterans Affairs, Veterans Health Administration Record Control
Schedule (RCS) 10-1.
3.3 Has the retention schedule been approved by the VA records office and the National Archives and
Records Administration (NARA)? If so please indicate the name of the records retention schedule.
ALT-VHA operates using three NARA approved retention schedules:
Department of Veterans Affairs, Veterans Health Administration Record Control Schedule (RCS) 10-
1
Department of Veterans Affairs, Office of Information & Technology RCS 005-1
The General Records Schedules-Transmittal 24- NARA August 2015
3.4 What are the procedures for the elimination of SPI?
Electronic information within ALT-VHA is destroyed by the disposition guidance of the Records Control
Schedule (RCS) 10-1 (maintained for 75 years after the last episode of medical care). The ALT-VHA has a
current and active records destruction plan in accordance with the VHA Privacy Compliance Assurance
Office and the VHA Records Management and Office of Information Technology . Plan for destruction of
electronic information will be routed for approval and implementation through VHA, Veterans
Administration Central Office, and the National Archives. Paper documents are cross cut shredded on site by
a vendor accompanied by a certificate of destruction. The contractor then secures the shredded material until
final disposition at a recycling plant. Recycling plant uses pulping/bleaching process.
3.5 PRIVACY IMPACT ASSESSMENT: Retention of information
Privacy Risk: Information retained by Altoona Veterans Health Administration longer than required than is
necessary to fulfill VA Mission, is at greater risk of being unintentionally released or breached.
Mitigation: To mitigate, VA Altoona Healthcare adheres to the VA RCS 10-1 Schedules for each category
of data it maintains. When the data retention is reached, VA Altoona Healthcare will dispose of the
information per the mechanism described in question 3.4.
Section 4. Internal Sharing and Disclosure – GSS and VistA
The following questions are intended to define the scope of information sharing within VA.
4.1 With which internal organizations is information shared? What information is shared, and for what
purpose? How is the information transmitted or disclosed?
Program Office or IT
System information is
shared with
Reason why information
is shared with the
specified program or IT
system
List the specific
information types that
are shared with the
Program or IT system
Method of transmittal
VA Tumor Registry
Tracking and trending of
diseases
Diagnosis, tumor status,
treatment outcome,
survivor tracking, type of
treatments,
demographics, hormone
radiation, chemotherapy
and problem lists
Electronic Tumor
Registry package
VA Network
Authorization Office:
Non-VA Care Payments
Health/Medical payment
authorization
Demographics,
diagnoses, medical
history, service
connection, provider
orders, VHA
recommendation/approval
for non-VA care
Fee Basis Claim System
(FBCS) software
program
VA Veterans Benefits
Administration
Service-connected/non-
service connected
disabilities, benefit
payments, educational
benefits, spousal benefits
Financial assessment test
and service-connected
disability diagnoses,
veterans’ health status,
compensation and
pension exam notes
Compensation and
Pension Record
Interchange (CAPRI)
VA Health Eligibility
Center (HEC)
Medical Care Cost
Recovery
Diagnosis, service
connection, dates of
service, health insurance
information,
demographics
Enrollment Systems
Redesign or automatic
upload to Health
Eligibility Center (HEC)
via a Veterans
Information Systems and
Technology Architecture
(VISTA)
VA National Cemetery
Administration
Death/burial benefits
Veteran’s name, SSN,
branch of service,
military discharge papers
- Form DD214
Secure fax
Northeast Consolidated
Patient Account Center
Medical care cost
recovery
Diagnosis, service
connection, dates of
service, health insurance
information,
demographics
Veterans Information
Systems and Technology
Architecture (VISTA)
Consolidated Mail
Outpatient Pharmacy
(CMOP)
For a complete patient
profile of controlled
substances
Veteran’s name, address,
full social security
number, date of birth,
provider’s name,
name/quantity of
medication(s), provide
name
Veterans Information
Systems and Technology
Architecture (VISTA)
4.2 PRIVACY IMPACT ASSESSMENT: Internal sharing and disclosure
Follow the format below:
Privacy Risk: There is a risk that information might be shared internally with individuals who do not have a
“need to know” as defined by their functional category and without first establishing a legal authority to
disclose information.
Mitigation: Appropriate safeguards are implemented to ensure data is sent to the correct VA organization.
Employees undergo annual Privacy/HIPAA (Health Insurance Portability and Accountability Act) training
and Privacy and Information Security Awareness and Rules of Behavior training. Employees utilize secure
passwords, personal identification verification (PIV) cards, personal identifiable numbers (PIN), encryption,
and appropriate safeguards (as outlined in VHA Handbook 1605.1) when faxing, mailing, or scanning
Veterans’ personal identifiable information (PII) to other VA organizations.
Section 5. External Sharing and Disclosure – GSS and VistA
The following questions are intended to define the content, scope, and authority for information sharing
external to VA, which includes Federal, State, and local governments, and the private sector.
5.1 With which external organizations is information shared? What information is shared, and for what
purpose? How is the information transmitted and what measures are taken to ensure it is secure?
Is the sharing of information outside the agency compatible with the original collection? If so, is it covered by
an appropriate routine use in a SORN? If not, please describe under what legal mechanism the IT system is
allowed to share the information in identifiable form or personally identifiable information outside of VA.
.
Program Office or
IT System
information is
shared with
Reason why
information is
shared with the
specified program
or IT system
List the specific
information types
that are shared
with the Program
or IT system
Legal authority,
binding agreement,
SORN routine use,
etc that permit
external sharing
(can be more than
one)
Method of
transmission and
measures in place
to secure data
Pennsylvania
Department of
Health –
Infectious
Disease
Tracking of
infectious diseases
Health information
regarding infectious
disease, patient’s
name, lab results,
and contact
information
PA State Law – 38
PS §521.1 et
seq.; Standing
Request Letter;
Title 38 USC
Section 5701;
SORN 79VA19;
SORN 79VA10P2;
VHA Directive
2013-008
Via secure fax,
telephone and/or
electronically
through PA-
National Electronic
Disease
Surveillance
System (PA-
NEDSS)
Pennsylvania
Department of
Health – Cancer
Registry
Tracking of cancer
cases
Health information,
patient’s
name/contact
information
PA State Law - 38
PS §521.1 et
seq.; Standing
Request Letter;
Title 38 USC
Section 5701;
SORN 79VA19;
SORN 79VA10P2
Data use
Agreement (DUA)
– electronic
transmission
Pennsylvania
Department of
Aging
Reporting of
suspected elder
abuse
Patient’s name,
social security
number, date of
birth, home
address, name of
persons contacted,
next of kin,
alternate next of
kin, whom the
abused resides with,
mental status,
current diagnosis,
type of
alleged abuse
PA State Law – 35
PS §10225.101 et
seq.; Standing
Request Letter;
SORN 79VA19
SORN 79VA10P2
Via phone call to
Department of
Aging
CORE – Center for
Organ Recovery
Facilitating organ
donor activities
Patient’s name,
social security
number, date of
Federal Registry
Routine Use # 46;
SORN 79VA19
Computerized
Patient Record
System (CPRS)
birth, death details,
progress notes
relevant to donor
assessment
SORN 79VA10P2 record reviews and
Center for Organ
Recovery and
Education (CORE)
forms. Notification
by phone call.
Social Security
Administration
To determine
eligibility or
continuation of
benefits
Social Security
Number, Protected
Health Information
(PHI)
Title 38 USC Code
Section 5701;
SORN 79VA19;
SORN 79VA10P2
Via secure web
portal.
If specific measures have been taken to meet the requirements of OMB Memoranda M-06-15 and M-
06-16, note them here.
Secure passwords, authentication codes, authorized access.
5.2 PRIVACY IMPACT ASSESSMENT: External sharing and disclosure
Follow the format below:
Privacy Risk: There is a potential risk that information may be shared with an external organization or
agency that does not have legal authority to access VA data.
Mitigation: Appropriate safeguards are implemented to ensure data is not shared with an unapproved or
incorrect organization. Employees undergo annual Privacy and HIPAA (Health Insurance Portability and
Accountability Act) training and Privacy and Information Security and Rules of Behavior training. Other
safeguards include: Use of secure passwords, access on a “for need to know basis,” personal identification
verification (PIV) cards, personal identification numbers (PIN), encryption and access authorization. Standing
letters, sharing agreements, data use agreements, and business associate agreements are monitored closely by
the Privacy Officers and Health Information Management Service to ensure protection of information.
Section 6. Notice - GSS and VistA
The following questions are directed at providing notice to the individual of the scope of information
collected, the right to consent to uses of the information, and the right to decline to provide information.
6.1 Was notice provided to the individual before collection of the information?
Yes. The Notice of Privacy Practices, IB 10-163 dated October 2014, is distributed in accordance with
VHA Handbook 1605.04.
Yes. The VA Altoona Healthcare provides notice of information collection in several ways, i.e., during
individual interviews or in writing on various forms and applications submitted by the individual.
Additional notice is provided through the Notice of Privacy Practices (NOPP) and Privacy Impact
Assessments (PIA) which is available online as required by the eGovernment Act of 2002, Pub.L. 107-347 §
208(b)(1)(B)(iii), the Department of Veterans Affairs, and the following VA Systems of Record Notices
(SORNs) which are published in the Federal Register and available online:
Applicants for Employment under Title 38, USC - SORN 02VA135
Individuals Serving on a Fee Basis or Without Compensation (Consultants, Attendings, and Others
or Paid Indirectly through a Disbursement Agreement) Personnel Records – SORN 14VA05
Non-VA Fee Basis Records – SORN 23VA16
Patient Medical Records – SORN 24VA10P2
National Patient Database - SORN 24VA10P2
Community Placement Program – SORN 65VA 122
Health Care Provider Credentialing and Privileging Records – SORN 77VA10Q
Veterans Health Information Systems and Technology Architecture (VISTA) Records – SORN
79VA19; 79VA10P2
Income Verification Records – SORN 89VA19; SORN 89VA10NB
Automated Safety Incident Surveillance and Tracking System-VA – SORN 99VA13
The Revenue Program Billings and Collections Records – SORN 114VA16
Patient Advocate Tracking System (PATS) – SORN 100VA10NS10
Police and Security Records – SORN 103VA07B
Enrollment and Eligibility Records – SORN 147VA16
6.2 Do individuals have the opportunity and right to decline to provide information? If so, is a penalty
or denial of service attached?
Individuals have the opportunity to decline to provide information without a penalty with the exception of the
means test process. Non-service connected Veterans and Veterans who are in receipt of service-connected
compensation of less than 50% may decline to give a financial assessment called a means test and as a result,
may be placed in category 8 and billed for certain services.
6.3 Do individuals have the right to consent to particular uses of the information? If so, how does the
individual exercise the right?
Veterans may utilize the 10-5345 (Request for Authorization to Release Medical Records or Health
Information) to state with whom his/her information may be shared. Veterans have the right to opt in or opt out of the Altoona Veterans Health Administration Inpatient Facility
Directory. On admission to Altoona Veterans Health Administration, the individual is asked their preference
to be in the Inpatient Facility Directory or not. directory.
6.4 PRIVACY IMPACT ASSESSMENT: Notice
Privacy Risk: There is a risk that Veterans and other members of the public may not know the ALT-VHA
exists or that it collects, maintains, and/or disseminates PII and other SPI about them.
Mitigation: The ALT-VHA mitigates this risk by ensuring we provide individuals’ notice of information
collection and notice of the system’s existence through the methods discussed in question 6.1.
Section 7. Access, Redress, and Correction - GSS and VistA
The following questions are directed at an individual’s ability to ensure the accuracy of the information
collected about him or her.
7.1 What are the procedures that allow individuals to gain access to their information?
When requesting access to one’s own records, patients are asked to complete VA Form 10-5345a
(Individuals’ Request for a Copy of their Own Health Information) which can be obtained from the medical
center or online at http://www.va.gov/vaforms/medical/pdf/vha-10-5345a-fill.pdf.
Additionally, Veterans and their dependents can gain access to their Electronic Health Record (EHR) by
enrolling in the MyHealthevet program which is VA’s online personal health record. More information
regarding MyHealthevet may be found at https://www.myhealth.va.gov/index.html.
In addition to the procedures discussed above, the SORNs listed in question 6.1 address record access,
redress, and correction. Links to all VA SORNs may be found
at http://www.oprm.va.gov/privacy/systems_of_records.aspx
7.2 What are the procedures for correcting inaccurate or erroneous information?
Individuals are provided the opportunity to submit a request for change in a medical record via the
amendment process. An amendment is the authorized alteration of health information by modification,
correction, addition, or deletion. An individual may request an alteration to their health information by
making a formal, written request mailed or delivered to the VA health care facility that maintains the record.
The request must be in writing and adequately describe the specific information the individual believes to be
inaccurate, incomplete, irrelevant, or untimely and the reason for this belief. A request for amendment of
information contained in a system of records will be processed by the Privacy Officer (PO). In reviewing
requests to amend or correct records, the PO must be guided by the criteria set forth in VA regulation 38 CFR
1.579. VA must maintain in its records only such information about an individual that is accurate, complete,
timely, relevant, and necessary.
Individuals have the right to review and change their contact or demographic information at time of
appointment or upon arrival to the VA facility and/or submit a change of address request form to the facility
Business Office for processing.
7.3 How are individuals notified of the procedures for correcting their information?
Verbal inquiries regarding the amendment request process are generally received by the Business Office,
Release of Information Office, Patient Experience Officer, or Privacy Officer. Inquiries regarding the
amendment request process can be explained by any member of the Release of Information Office, Patient
Experience Officer or the Privacy Officer. The amendment process is also explained in the Notice of Privacy
Practices (NOPP).
7.4 If no formal redress is provided, what alternatives are available to the individual?
The Privacy Officer provides appeal rights to the Office of General Counsel or VHA Privacy Office via the
written response to the Veteran regarding the outcome of the amendment request. If after review of an
individual’s request to change/amend information in that individual’s Privacy Act System of records by
Butler Veterans Health Administration, the Butler Veterans Health Administration does not concur or
partially concurs with the request; the individual is provided appeal rights to appeal the decision to the Office
of General Counsel.
7.5 PRIVACY IMPACT ASSESSMENT: Access, redress, and correction
Privacy Risk: There is a risk that Veterans, whose records contain erroneous information, may not receive
notification of appointments, medications, or test results. Incorrect documentation could also result in a
Veteran receiving improper diagnosis or treatment.
Mitigation: The ALT-VHA mitigates the risk of incorrect information in an individual’s records by
authenticating information when possible using the resources discussed in question 1.5. The VA Altoona
Healthcare staff verifies information in medical records and corrects information identified as incorrect during
each patient’s medical appointment.
Additionally, VA Altoona Healthcare staff is informed of the importance of maintaining compliance with VA
Release of Information (ROI) policies and procedures and the importance of remaining alert to information
correction requests.
Section 8. Technical Access and Security – GSS and VistA
The following questions are intended to describe technical safeguards and security measures.
8.1 What procedures are in place to determine which users may access the system, and are they
documented?
Office of Information and Technology (OI&T) will be notified by Service Chiefs/Service Line Managers
whenever computer accounts are required or changes to existing computer accounts (employment
termination, change in position, new hires) within 24 hours. Account management (new, modify,
termination) and menu reviews will utilize the Electronic Computer Access Request (ECAR) system.
ECAR is a role based system that uses built in processes and workflows to ensure that the medical center is in
compliance with VA Handbook 6500/CRISP (Continuous Readiness in Information Security Program)
standards and guidelines and NIST (National Institute of Standards and Technology) computer access
controls for inter and intra-facility computer and network access. Complete definitions of ECAR roles can be
found in Appendix A.
This system replaces past practices of requesting computer access for network and e-mail accounts including
employees, without compensation workers (WOCs) trainees, volunteers, and contractors who need even the
most minimal computer access for example e-mail accounts or network login such as a volunteer who is
required to look up the location of a patient.
8.2 Will VA contractors have access to the system?
Yes. VA contractors will have access to the ALT-VHA system. The contractors are required to complete
annual privacy & security training, read and agree to VA Rules of Behavior, and/or complete new employee
orientation and training. The contracts are reviewed by the Contracting Office and the Contracting Officer
Representative (COR,), Information Security Officer, Privacy Officer and Records Manager. The COR
monitors the performance of the contractor. Clearance levels are determined by the COR and position
sensitivity level and risk designation. Access is reviewed annually and verification of VA Privacy and
Information Security Awareness and Rules of Behavior training and Privacy is validated by the Information
Security Officer.
8.3 Describe what privacy training is provided to users either generally or specifically relevant to the
program or system?
All users of the ALT-VHA system are required to complete the VA Privacy and Information Security
Awareness and Rules of Behavior course and if the user has access to patient health information they are
also required to take the Privacy/HIPAA (Health Insurance Portability and Accountability Act) training
course.
New employees also attend New Employee Orientation Training.
8.4 Has Authorization and Accreditation (A&A) been completed for the system?
ALT-VHA is not an independent system. It is an entity of the Region 4 General Support System, the Region 4
VistA System, and the Region 4 Infrastructure System and is therefore covered under the Authority to
Operate (ATO), (GSS 2/27/2015 - VistA 3/4/2015) for each of these systems.
Signature of Responsible Officials
The individuals below attest that the information provided in this Privacy Impact
Assessment is true and accurate.
_________________________________________
Privacy Officer, Therese Blocher RHIA
_________________________________________
Acting Information Security Officer, Elaine Ray
_________________________________________
System Owner, Michael Hynoski
__________________________________________
Individual Completing the PIA, Therese Blocher RHIA
Related Documents
