Privacy Act of 1974; System of Records

#  Privacy Act of 1974; System of Records

**AGENCY:**

Veterans Health Administration (VHA, Department of Veterans Affairs (VA).

**ACTION:**

Notice of a modified system of records.

**SUMMARY:**

As required by the Privacy Act of 1974, notice is hereby given that VA is modifying the system of records titled “VHA Corporate Data Warehouses-VA” (172VA10). This system is used for clinical decision support, mobile applications presenting patient data, and statistical analysis to produce various management, workload tracking, and follow-up reports. It is also used to track and evaluate the ordering and delivery of equipment, services, and patient care; track the planning, distribution, and utilization of resources; monitor the performance of Veterans Integrated Service Networks; and allocate clinical and administrative support to patient medical care.

**DATES:**

Comments on this new system of records must be received no later than 30 days after the date of publication in the *Federal Register* . If no public comment is received during the period allowed for comment or unless otherwise published in the *Federal Register* by VA, the new system of records will become effective a minimum of 30 days after date of publication in the *Federal Register* . If VA receives public comments, VA shall review the comments to determine whether any changes to the notice are necessary.

**ADDRESSES:**

Comments may be submitted through *www.Regulations.gov* or mailed to VA Privacy Service, 810 Vermont Avenue NW, (005X6F), Washington, DC 20420. Comments should indicate that they are submitted in response to “VHA Corporate Data Warehouses-VA” (172VA10). Comments received will be available at *https://www.Regulations.gov/* for public viewing, inspection, or copies.

**FOR FURTHER INFORMATION CONTACT:**

Ms. Stephania Griffin, VHA Chief Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue NW, (10DH03A), Washington, DC 20420, *[email protected],* telephone number 704-245-2492 (Note: This is not a toll-free number).

**SUPPLEMENTARY INFORMATION:**

VA is modifying the system of records by revising the categories of records in the system, record source categories, purpose(s) of the system, routine uses of records maintained in the system records, Notification Procedure, and Appendix A. VA is republishing the system notice in its entirety.

Categories of records in the system and record source categories are being modified to change 121VA10A7 to 121VA10.

Purpose(s) of the system is being updated to add, “to monitor the performance and produce management and actuarial reports of VHA and Veterans Integrated Service Networks,” and include, “The records and information may be used and shared, including through application programming interfaces (API), to meet statutory mandates regarding health care related programs.”

Routine uses of records maintained in the system is adding the following:

Routine use #1 and routine use #17 are duplicate. Therefore, routine use #17 is being replaced with a new routine use to state, “Centers for Disease Control and Prevention (CDC): To CDC and/or their designee or other Federal or state public health authorities in response to its request or at the initiation of VA, in connection with disease-tracking, patient outcomes, bio-surveillance or other health information required for program accountability.” VA needs the ability to conduct disease tracking to impact patient outcomes, respond to public health threats, and to contribute significantly to the CDC's ability to conduct and monitor public health surveillance.

Routine use #26 is being added to state, “National Cancer Institute (NCI): To the NCI and/or their designee and/or a state cancer or tumor registry in response to its request or at the initiation of VA for the purpose of population-based activities to improve health and disease management.” VA needs the ability to determine trends in the rates of the incidence of cancer in Veterans.

Routine use #27 is being added to state, “Third Party Non-Governmental/Governmental Applications: To a third party non-Governmental or Governmental application through the Provider Directory Application Programming Interface concerning health care provider's professional qualification. Information to be disclosed may include provider name, national provider identifier (NPI), VA medical facility address, VA employee email, VA facility telephone number, sex, and languages used.” VA needs to share provider information maintained in the corporate data warehouse through APIs with third party non-Governmental and Governmental applications mandated by the Centers for Medicaid and Medicare Services for the purpose of complying with 45 CFR 156.221(i).

The policies and practices for retention and disposal of records is being updated to replace “General Records Schedule 20, item 4” with “General Records Schedule 5.2, item 020.”

The Notification Procedure section is being update to state “Individuals who wish to be notified if a record in this system of records pertains to them should submit the request following the procedures described in ‘Record Access Procedures,’ above”.

Appendix A is being updated to change “HealtheIntent at Cerner Technology Centers (CTC)” to “Oracle Health Data Intelligence (HDI) at Oracle Technology Centers”, Change “Picture” to “Platform in “VA Common Operating Picture, Palantir Foundry” and to remove “Data Lake” from “VA  Enterprise Cloud, Microsoft Azure” to reflect the different locations where data may reside in Microsoft Azure.

**Signing Authority**

The Senior Agency Official for Privacy, or designee, approved this document and authorized the undersigned to sign and submit the document to the Office of the Federal Register for publication electronically as an official document of the Department of Veterans Affairs. Eddie Pool, Deputy Chief Information Officer, Connectivity and Collaboration Services, Performing the Delegable Duties of the Assistant Secretary for Information and Technology and Chief Information Officer, approved this document on July 23, 2025, for publication.

Dated: September 10, 2025.

Saurav Devkota,

Government Information Specialist, VA Privacy Service, Office of Compliance, Risk and Remediation, Office of Information and Technology, Department of Veterans Affairs.

**SYSTEM NAME AND NUMBER:**

VHA Corporate Data Warehouses—VA (172VA10)

**SECURITY CLASSIFICATION:**

Unclassified.

**SYSTEM LOCATION:**

Records are located in VA National Data Centers and the contracted data centers listed in Appendix A.

**SYSTEM MANAGER(S):**

Officials responsible for policies and procedures: Chief Health Informatics Officer, Department of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420. Telephone number 202-461-5834 (This is not a toll-free number).

Officials maintaining this system of records: Director, National Data Systems, *[email protected],* Austin Information Technology Center, 1615 Woodward Street, Austin, TX 78772. The telephone number is 512-326-6188 (Note: This is not a toll-free number).

**AUTHORITY FOR MAINTENANCE OF THE SYSTEM:**

38 U.S.C. 501.

**PURPOSE(S) OF THE SYSTEM:**

The records and information may be used for clinical decision support, mobile applications presenting patient data, statistical analysis to produce various management, workload tracking, and follow-up reports; to track and evaluate the ordering and delivery of equipment, services and patient care; for the planning, distribution and utilization of resources; to monitor the performance and produce management and actuarial reports of the VHA and VISNs; and to allocate clinical and administrative support to patient medical care. The data may be used for VA's extensive research programs in accordance with VA policy and to monitor for bio-terrorist activity. In addition, the data may be used to assist in workload allocation for patient treatment services including provider panel management, nursing care, clinic appointments, surgery, diagnostic and therapeutic procedures; to plan and schedule training activities for employees; for audits, reviews and investigations conducted by the network directors office and VA Central Office; for quality assurance audits, reviews, and investigations; for law enforcement investigations; for reporting purposes for Veterans authorizations and preferences and other Veterans Health Information Exchange reporting needs; and for health care operations and for personnel management, evaluation and employee ratings, and performance evaluations. The records in the system may be used to perform calculations and derive data using machine learning, natural language processing, and other artificial intelligence tools to create additional data that is validated, stored, and then made available to system users for the other purposes described within this section. The records and information may be used and shared, including through APIs, to meet statutory mandates regarding health care related programs.

**CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:**

The records contain information for Veterans, members of the armed services, current and former employees, trainees, caregivers, contractors, sub-contractors, consultants, volunteers, and other individuals working collaboratively with VA who are:

(1) receiving health care from VA;

(2) receiving health care from Department of Defense (DoD);

(3) providing health care; or

(4) employed by VA or DoD.

**CATEGORIES OF RECORDS IN THE SYSTEM:**

The records include information related to:

1. Patient health record detailed information, including information from patient medical records—VA (24VA10A7) and Patient national databases—VA (121VA10) and from the Health Information Exchange—VA (168VA005).

2. Identifying information (such as: name, birth date, death date, admission date, discharge date, sex, social security number, taxpayer identification number); address information such as home and/or mailing address, home telephone number); emergency contact information such as name, address, telephone number, and relationship; prosthetic and sensory aid serial numbers; health record numbers; integration control numbers; information related to medical examination or treatment (such as the location of the VA medical facility providing examination or treatment, treatment dates, and medical conditions treated or noted on examination); and information related to military service and status.

3. Patient health insurance information, including information from revenue program billing and collection records—VA (114VA10).

4. Medical benefit and eligibility information, including information from revenue program billing and collection records—VA (114VA10).

5. Patient aggregate workload data such as admissions, discharges, and outpatient visits; resource utilization such as laboratory tests, x-rays, pharmaceuticals, prosthetics, and sensory aids; employee workload and productivity data.

6. Information on services or products needed in the provision of medical care (such as pacemakers, prosthetics, dental implants, and/or hearing aids), vendor name and address, details about and/or evaluation of service or product, price/fee, and dates purchased and delivered.

7. Health care practitioners' names, identification number, and other demographic information related to position.

8. Employees salary and benefit information.

9. Financial information from the Financial Management System.

10. Human resource information including employee grade, salary, and tour of duty;

11. Compensation and pension determinations, Veteran eligibility, and other information associated with administering Veteran benefits by the Veterans Benefit Administration.

12. Data from other Federal agencies.

13. Patient self-entered data through online forms (such as data from glucometers, step counters, and other personal medical devices).

14. Data derived from the above through calculations, machine learning, automated natural language processing, other artificial intelligence tools, and manually entered data confirming derived data results.

**RECORD SOURCE CATEGORIES:**

Information in this system of records is provided by Veterans, VA employees, VA computer systems, the Veterans  Health Information Systems and Technology Architecture, the VA electronic health record system, contracted computer systems, VA medical centers, VA program offices, VISNs, DoD, other Federal agencies, such as the CDC, state agencies, and non-VA health care providers, and from the following VA systems of records: patient medical records—VA (24VA10A7); patient national databases—VA (121VA10), the Health Information Exchange—VA (168VA005); and the revenue program billing and collection records—VA (114VA10).

**ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:**

To the extent that records contained in the system include information protected by 45 CFR parts 160 and 164 (individually identifiable health information) and 38 U.S.C. 7332 (medical treatment information related to drug abuse; alcoholism or alcohol abuse; sickle cell anemia; or infection with the human immunodeficiency virus—that information cannot be disclosed under a routine use unless there is also specific statutory authority in 38 U.S.C. 7332 and regulatory authority in 45 CFR parts 160, 161, and 164.

*1. Law Enforcement, for Reporting Violations of Law:* To a Federal, state, local, territorial, tribal, or foreign law enforcement authority or other appropriate entity charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing such law, provided that the disclosure is limited to information that, either alone or in conjunction with other information, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature. The disclosure of the names and addresses of Veterans and their dependents from VA records under this routine use must also comply with the provisions of 38 U.S.C. 5701(f).

2. *External Source, for Identification:* To any source from which additional information is requested (to the extent necessary to identify the individual, inform the source of the purpose(s) of the request, and to identify the type of information requested), when necessary to obtain information relevant to an individual's eligibility, care history, or other benefits.

3. *Federal Agencies, for Employment:* To a Federal agency, except the United States Postal Service, or to the District of Columbia government, in response to its request, in connection with that agency's decision on the hiring, transfer, or retention of an employee, the issuance of a security clearance, the letting of a contract, or the issuance of a license, grant, or other benefit by that agency.

4. *Congress:* To a Member of Congress or staff acting upon the Member's behalf when the Member or staff requests the information on behalf of, and at the request of, the individual who is the subject of the record.

5. *National Archives and Records Administration (NARA):* To NARA in records management inspections conducted under 44 U.S.C. 2904 and 2906, or other functions authorized by laws and policies governing NARA operations and VA records management responsibilities.

6. *Department of Justice (DOJ) for Litigation or Administrative Proceeding:* To DOJ, or in a proceeding before a court, adjudicative body, or other administrative body before which VA is authorized to appear, when any of the following is a party to such proceedings or has an interest in such proceedings, and VA determines that use of such records is relevant and necessary to the proceedings:

(a) VA or any component thereof;

(b) Any VA employee in his or her official capacity;

(c) Any VA employee in his or her official capacity where DOJ has agreed to represent the employee; or

(d) The United States, where VA determines that litigation is likely to affect the agency or any of its components.

7. *Former Employee, Contractor, or Representative, for State Licensing Board (SLB) Reporting:* To a former VA employee or contractor, as well as the authorized representative of a current or former employee or contractor of VA, in connection with or in consideration of reporting that the individual's professional health care activity so significantly failed to conform to generally accepted standards of professional medical practice as to raise reasonable concern for the health and safety of patients, to a Federal agency, a state or local government licensing board, or the Federation of State Medical Boards or a similar nongovernmental entity that maintains records concerning individuals' employment histories or concerning the issuance, retention, or revocation of licenses, certifications, or registration necessary to practice an occupation, profession, or specialty.

8. *SLB, for Licensing:* To a Federal agency, a state or local government licensing board, the Federation of State Medical Boards, or a similar non-governmental entity that maintains records concerning individuals' employment histories or concerning the issuance, retention, or revocation of licenses, certifications, or registration necessary to practice an occupation, profession, or specialty, to inform such non-governmental entities about the health care practices of a terminated, resigned, or retired health care employee whose professional health care activity so significantly failed to conform to generally accepted standards of professional medical practice as to raise reasonable concern for the health and safety of patients in the private sector or from another Federal Agency. These records may also be disclosed as part of an ongoing computer matching program to accomplish these purposes.

9. *Joint Commission, for Accreditation:* To survey teams of the Joint Commission, College of American Pathologists, American Association of Blood Banks, and similar national accreditation agencies or boards with which VA has a contract or agreement to conduct such reviews, as relevant and necessary for the purpose of program review or the seeking of accreditation or certification.

10. *National Certifying Body:* To a national certifying body which has the authority to make decisions concerning the issuance, retention or revocation of licenses, certifications or registrations required to practice a health care profession, when requested in writing by an investigator or supervisory official of the national certifying body for the purpose of making a decision concerning the issuance, retention or revocation of the license, certification or registration of a named health care professional.

11. *Unions:* To officials of labor organizations recognized under 5 U.S.C. Ch. 71 when relevant and necessary to their duties of exclusive representation concerning personnel policies, practices, and matters affecting working conditions.

12. *VA-Appointed Representative:* To the VA-appointed representative of an employee of all notices, determinations, decisions, or other written communications issued to the employee in connection with an examination ordered by VA under medical evaluation (formerly fitness-for-duty) examination procedures or Department filed disability retirement procedures.

13. *Merit Systems Protection Board (MSPB):* To the MSPB in connection with appeals, special studies of the civil service and other merit systems, review of rules and regulations, investigation of alleged or possible prohibited personnel practices, and such other functions  promulgated in 5 U.S.C. 1205 and 1206, or as authorized by law.

14. *Equal Employment Opportunity Commission (EEOC):* To the EEOC in connection with investigations of alleged or possible discriminatory practices, examination of Federal affirmative employment programs, or other functions of the Commission as authorized by law.

15. *Federal Labor Relations Authority (FLRA):* To the FLRA in connection with the investigation and resolution of allegations of unfair labor practices, the resolution of exceptions to arbitration awards when a question of material fact is raised; matters before the Federal Service Impasses Panel; and the investigation of representation petitions and the conduct or supervision of representation elections.

16. *Researchers, for Research:* To epidemiological and other research facilities approved by the Under Secretary for Health for research purposes determined to be necessary and proper.

17. *CDC:* To CDC and/or their designee or other Federal or state public health authorities in response to its request or at the initiation of VA, in connection with disease-tracking, patient outcomes, bio-surveillance or other health information required for program accountability.

18. *Contractors:* To contractors, grantees, experts, consultants, students, and others performing or working on a contract, service, grant, cooperative agreement, or other assignment for VA, when reasonably necessary to accomplish an agency function related to the records.

19. *Federal Agencies, for Fraud and Abuse:* To other Federal agencies to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.

20. *Data Breach Response and Remediation, for VA:* To appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that there has been a breach of the system of records; (2) VA has determined that as a result of the suspected or confirmed breach there is a risk to individuals, VA (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, or persons is reasonably necessary to assist in connection with VA efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

21. *Federal Agencies, for Research:* To a Federal agency for the purpose of conducting research and data analysis to perform a statutory purpose of that Federal agency upon the prior written request of that agency.

22. *Office of Management and Budget (OMB) for Coordination, Evaluation of Federal Programs:* To OMB for the performance of its statutory responsibilities for evaluating Federal programs.

23. *DoD:* To DoD for joint ventures between the two Departments to promote improved patient care, better health care resource utilization, and formal research studies.

24. *Data Breach Response and Remediation, for Another Federal Agency:* To another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

25. *Health Care Effectiveness Data and Information Set or Similar Auditors:* To health plans, quality review and/or peer review organizations in connection with the audit of claims or other review activities to determine quality of care or compliance with professionally accepted claims processing standards.

26. *NCI:* To NCI and/or their designee and/or a state cancer or tumor registry in response to its request or at the initiation of VA for the purpose of population-based activities to improve health and disease management.

27. *Third Party Non-Governmental/Governmental Applications:* To a third party non-Governmental application through the Provider Directory Application Programming Interface concerning health care provider's professional qualification. Information to be disclosed may include: provider name, NPI, VA medical facility address, VA employee email, VA facility telephone number, sex, and languages used.

**POLICIES AND PRACTICES FOR STORAGE OF RECORDS:**

Records are maintained on storage area networks, both in the Austin Information Technology Center and the VA Enterprise Cloud.

**POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:**

Records are retrieved by name, Social Security number or other assigned identifiers of the individuals on whom they are maintained.

**POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:**

Records in this system are retained and disposed of in accordance with the schedule approved by the Archivist of the United States, General Records Schedule 5.2, item 020.

**ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:**

1. Access to and use of VA data warehouses are limited to those persons whose official duties require such access, and the VA has established security procedures to ensure that access is appropriately limited. Information security officers and system data stewards review and authorize data access requests. VA regulates data warehouse access with security software that relies on network authentication. VA requires information security training to all staff and instructs staff on the responsibility each person has for safeguarding data confidentiality.

2. Physical access to computer rooms housing VA data warehouses are restricted to authorized staff and protected by a variety of security devices. Unauthorized employees, contractors, and other staff are not allowed in computer rooms.

3. Data transmissions between VA operational systems and VA data warehouses maintained by this system of record are protected by state-of-the-art telecommunication software and hardware. This may include firewalls, intrusion detection devices, encryption, and other security measures necessary to safeguard data as it travels across the VA wide area network.

4. In most cases, copies of back-up computer files are maintained at off-site locations.

5. Access to Cerner Technology Centers is generally restricted to Cerner employees, contractors or associates with a Cerner issued identification badge and other security personnel cleared for access to the data center. Access to computer rooms housing Federal data, hence Federal enclave, is restricted to persons Federally cleared for Federal enclave access through electronic badge entry devices. All other persons, such as custodians, gaining access to Federal enclave are escorted.

6. VA Enterprise Cloud data storage conforms to security protocols as stipulated in VA Directives 6500 and 6517. Access control standards are stipulated in specific agreements with cloud vendors to restrict and monitor access.

**RECORD ACCESS PROCEDURE:**

Individuals seeking information on the existence and content of records in this system pertaining to them may write to the Director of national Data Systems, Austin Information Technology Center, 1615 Woodward Street, Austin, TX 78772. A request for access to records must contain the requester's full name, address, telephone number, be signed by the requester, and describe the records sought in sufficient detail to enable VA personnel to locate them with a reasonable amount of effort.

**CONTESTING RECORD PROCEDURES:**

Individuals seeking to contest or amend records in this system pertaining to them may write to the Director of National Data Systems, Austin Information Technology Center, 1615 Woodward Street, Austin, TX 78772. A request to contest or amend records must state clearly and concisely what record is being contested, the reasons for contesting it, and the proposed amendment to the record.

**NOTIFICATION PROCEDURE:**

Individuals who wish to be notified if a record in this system of records pertains to them should submit the request following the procedures described in “Record Access Procedures,” above.

**EXEMPTIONS PROMULGATED FOR THE SYSTEM:**

None.

**HISTORY: 86 FR 72688.**

**VA APPENDIX A**

| Database name | Location |
| --- | --- |
| Corporate Data Warehouse | Austin Information Technology Center, 1615 Woodward Street, Austin, TX 78772. |
| Oracle Health Data Intelligence at Oracle Technology Centers | Primary Data Center, Kansas City, MO. |
| VA Common Operating Platform, Palantir Foundry | Participating servers in the United States. |
| VA Enterprise Cloud, Microsoft Azure | Participating servers in the United States. |
| VA Informatics and Computing Infrastructure | Austin Information Technology Center, 1615 Woodward Street, Austin, TX 78772. |
| VA Enterprise Cloud, Amazon Web Services | Participating servers in the United States. |