Veterans Affairs banner with U.S. FlagVeterans Affairs banner with U.S. Flag

Office Of Information & Technology (OI&T)

System of Records (SOR)

89VA19 - Health Eligibility Records-VA

System location:
Records are maintained at the Health Eligibility Center (HEC), 1644 Tullie Circle, Atlanta, Georgia 30329; the contractor of record's site; and the National Enrollment Database (NED) VA Austin Automation Center (AAC), Austin, Texas.

Categories of individuals covered by the system:
Veterans who have applied for health care services under Title 38, United States Code, Chapter 17; their spouses and dependents as provided for, in other provisions of Title 38, United States Code; and non-veterans inquiring about VA health care benefits.

Categories of records in the system:

The category of records in the system include:
National Enrollment Database (NED) records including: Medical benefit application and eligibility information; identifying information including name, address, date of birth, social security number, claim number, family information including spouse and dependent(s) name, address and social security number; employment information on veteran and spouse, including occupation, employer(s) name(s) and address(es); financial information concerning the veteran and the veteran's spouse including family income, assets, expenses, debts; third party health plan contract information, including health insurance carrier name and address, policy number and time period covered by policy; facility location(s) where treatment is provided; type of treatment provided, i.e., inpatient or outpatient; and dates of visits.

Health Eligibility Center (HEC) records including [formerly the Income Verification Match (IVM) record]: Federal Tax Information (FTI) generated as a result of income verification computer match with records from Internal Revenue Service (IRS) and the Social Security Administration (SSA); documents obtained during the notification, verification and due process periods, such as initial verification letters, income verification forms, final confirmation letters, due process letters, clarification letters and subpoena documentation. FTI is tax information and tax return information obtained from the IRS or SSA, such as taxpayer's identity, source or amount of income, payment deductions, exemptions, assets, net worth, tax liability, tax withheld, deficiencies, over assessments or tax payments. Individual correspondence provided to the HEC by veterans or family members including, but not limited to, copies of death certificates; DD 214, Notice of Separation; disability award letters; IRS documents (i.e., Form 1040's, W-2's, etc.); state welfare and food stamp applications; VA and other pension applications; VA Form 10-10EZ, Application for Medical Benefits; workers compensation forms; and various annual earnings statements, as well as pay stubs. VA may not disclose to any person in any manner FTI received from IRS and SSA except as necessary to determine eligibility for benefits in accordance with the Internal Revenue Code (IRC) 26 U.S.C. 6103 (l)(7). VA may not allow access to FTI by any contractor or subcontractor.

Call Center Records including: Veteran's name, social security number, address, date of birth, phone number, enrollment priority group and primary health care facility.

Authority for maintenance of the system:
Title 38, United States Code, Sections 501 (a), 1705, 1722, and 5317.

Purpose(s):
Information in the system of records is used to update, verify and validate veteran eligibility, conduct income testing and verification activities; to validate social security numbers of veterans and spouses of those veterans receiving VA health care benefits; to ensure accuracy of veterans' eligibility information for medical care benefits; to operate an annual enrollment system; to update veteran eligibility; provide enrollment materials to educate veterans on enrollment; respond to veteran and non veteran inquiries on enrollment and eligibility; and to compile management reports.

Routine uses of records maintained in the system, including categories of users and the purposes of such uses:

To the extent that records contained in the system include information protected by 26 U.S.C. 6103(p)(4), i.e., the nature, source and amount of income, that information cannot be disclosed under a Routine Use set forth absent specific authorization from the IRS or the VA Office of General Counsel (024).

  1. The record of an individual who is covered by this system may be disclosed to a member of Congress or staff person acting for the member when the member or staff person requests the record on behalf of, and at the written request of, that individual.
  2. Disclosure of HEC (formerly IVM) records, as deemed necessary and proper to named individuals serving as accredited service organization representatives and other individuals named as approved agents or attorneys for a documented purpose and period of time, to aid beneficiaries in the preparation and presentation of their cases during the verification and/or due process procedures and in the presentation and prosecution of claims under laws administered by the Department of Veterans Affairs (VA).
  3. In the event that information in this system of records maintained by this agency to carry out its functions, indicates a suspected violation or reasonably imminent violation of law, whether civil, criminal or regulatory in nature, and whether arising by general statute or a particular program statute, or by regulation, rule or order issued pursuant thereto, the relevant records may be referred at VA's initiative, as a routine use, to the appropriate agency, whether Federal, State, local or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, or rule, regulation or order issued pursuant thereto. However, names and addresses of veterans and their dependents will be released only to Federal entities.
  4. Relevant information from this system of records may be disclosed as a routine use: In the course of presenting evidence to a court, magistrate or administrative tribunal, in matters of guardianship, inquests and commitments; to private attorneys representing veterans rated incompetent in conjunction with issuance of Certificates of Incompetency; and to probation and parole officers in connection with Court required duties.
  5. Any information in this system may be disclosed to a VA Federal fiduciary or a guardian ad litem in relation to his or her representation of a veteran only to the extent necessary to fulfill the duties of the VA Federal fiduciary or the guardian ad litem.
  6. Relevant information may be disclosed to attorneys, insurance companies, employers, third parties liable or potentially liable under health plan contracts, and to courts, boards, or commissions only to the extent necessary to aid VA in the preparation, presentation, and prosecution of claims authorized under Federal, State, or local laws, and regulations promulgated thereunder.
  7. Relevant information may be disclosed to the Department of Justice and United States Attorneys in defense or prosecution of litigation involving the United States, and to Federal Agencies upon their request in connection with review of administrative tort claims filed under the Federal Tort Claims Act, 28 U.S.C. 2672.
  8. Disclosure may be made to National Archives and Records Administration (NARA) and General Services Administration (GSA) in records management inspections conducted under authority of Title 44 United States Code.
  9. Information in this system of records may be disclosed for the purposes identified below to a third party, except consumer reporting agencies, in connection with any proceeding for the collection of an amount owed to the United States by virtue of a person's participation in any benefit program administered by VA. Information may be disclosed under this routine use only to the extent that it is reasonably necessary for the following purposes: (a) To assist the VA in the collection of costs of services provided individuals not entitled to such services; and (b) to initiate civil or criminal legal actions for collecting amounts owed to the United States and/or for prosecuting individuals who willfully or fraudulently obtained or seek to obtain title 38 medical benefits. This disclosure is consistent with 38 U.S.C. 5701(b)(6).
  10. The name and address of a veteran, other information as is reasonably necessary to identify such veteran, including personal information obtained from other Federal agencies through computer matching programs, and any information concerning the veteran's indebtedness to the United States by virtue of the person's participation in a benefits program administered by the VA may be disclosed to a consumer reporting agency for purposes of assisting in the collection of such indebtedness, provided that the provisions of 38 U.S.C. 5701(g)(4) have been met.
  11. For computer matching program and Automated Data Processing (ADP) security review purposes, record information may be disclosed to teams from other source Federal agencies who are parties to computer matching agreements involving the information maintained in this system, but only to the extent that the information is necessary and relevant to the review.
  12. The name and identifying information on a veteran and/or spouse may be provided to reported payers of earned and/or unearned income in order to verify the identifier provided, address, income paid, period of employment, and health insurance information provided on the means test and to confirm income and demographic data provided by other Federal agencies during income verification computer matching.
  13. Identifying information, including Social Security Numbers, concerning veterans, their spouses, and the dependents of veterans may be disclosed to other Federal agencies for purposes of conducting computer matches to obtain valid identifying, demographic and income information to determine or verify eligibility of certain veterans who are receiving VA medical care under Title 38, United States Code.
  14. The name and social security number of a veteran, spouse and dependents, and other identifying information as is reasonably necessary may be disclosed to the Social Security Administration, Department of Health and Human Services, for the purpose of conducting a computer match to obtain information to validate the social security numbers maintained in VA records.
  15. Relevant information from this system may be disclosed to individuals, organizations, private or public agencies, etc., with whom VA has a contract or agreement to perform such services as VA may deem practicable for the purposes of laws administered by VA in order for the contractor or subcontractor to perform the services of the contract or agreement.

Note: This routine use does not authorize disclosure of FTI received from the Internal Revenue Service or the Social Security Administration to contractors or subcontractors.

Policies and practices for storing, retrieving, accessing, retaining and disposing of records in the system:

Storage:
Records are maintained on magnetic tape, magnetic disk, optical disk and paper.

Retrievability:
Records (or information contained in records) maintained on paper documents are indexed and accessed by the veteran's name, social security number or case number and filed in case order number. Automated veterans' health eligibility records are indexed and retrieved by the veteran's name, social security number or case number. Automated health eligibility record information on spouses may be retrieved by the spouse's name or social security number.

Safeguards:

  1. Data transmissions between VA health care facilities and the HEC and VA databases housed at VA's AAC are accomplished using the Department's wide area network. The software programs at the respective facilities automatically flag records or events for transmission based upon functionality requirements. VA health care facilities and the HEC control access to data by using VHA's Veterans Health Information System and Technology Architecture (VISTA), (formerly known as Decentralized Hospital Computer Program (DHCP) software modules), specifically Kernel and MailMan. Kernel utility programs provide the interface between operating systems, application packages and users. Once data are identified for transmission, records are stored in electronic mail messages, which are then transmitted via the Department's electronic communications system (wide area network) to specific facilities on the Department's wide area network. Server jobs at each facility run continuously to check for data to be transmitted and/or incoming data which needs to be parsed to files on the receiving end. All mail messages containing data transmissions include header information that is used for validation purposes. Consistency checks in the software are used to validate the transmission, and electronic acknowledgment messages are returned to the sending application. The Department's Telecommunications Support Service has oversight responsibility for planning security.
  2. Working spaces and record storage areas at the HEC are secured during all business hours, as well as during non-business hours. All entrance doors require an electronic passcard for entry when unlocked, and entry doors are locked outside normal business hours. Electronic passcards are issued by the HEC Security Officer. HEC staff controls visitor entry by door release or escort. The building is equipped with an intrusion alarm system for non-business hours, and this system is monitored by a security service vendor. The office space occupied by employees with access to veteran records is secured with an electronic locking system, which requires a card for entry and exit of that office space. Access to the VA AAC is generally restricted to AAC staff, VA Headquarters employees, custodial personnel, Federal Protective Service and authorized operational personnel through electronic locking devices. All other persons gaining access to the computer rooms are escorted.
  3. Strict control measures are enforced to ensure that access to and disclosure from all records, including electronic files and veteran specific data elements, stored in the HEC veteran database is limited to VA employees whose official duties warrant access to those files. The HEC automated record system recognizes authorized users by keyboard entry of a series of unique passwords. Once the employee is logged onto the system, access to the files is controlled by discrete menus which are assigned by the HEC computer system administration staff, upon request from the employee's supervisor and employee's demonstrated need to access the data to perform the employee's assigned duties. A number of other security measures are implemented to enhance security of electronic records (automatic timeout after short period of inactivity, device locking after pre-set number of invalid logon attempts, etc.). Employees are required to sign a user access agreement acknowledging their knowledge of confidentiality requirements, and all employees receive annual training on information security. Access is deactivated when no longer required for official duties. Recurring monitors are in place to ensure compliance with nationally and locally established security measures.
  4. Veteran data is transmitted from the HEC to VA health care facilities and National Enrollment Database (NED) over the Department's computerized electronic communications system. Access to data in these files is controlled at the health care facility and NED level in accordance with nationally and locally established data security procedures. The NED is a database developed to support a national enrollment system. VA employees at these facilities are granted access to patient data on a ``need-to-know'' basis. All employees receive information security training and are issued unique access and verify codes. Employees are assigned computer menus that allow them to view and edit records as authorized by the supervisor. While employees at the health care facility may edit data which was initially input at the facility level, employees at the facility do not have edit access to income tests which originated at the HEC.
  5. In addition to passcards, the HEC computer room requires manual entry of a security code prior to entry. Only the Automated Information System (AIS) staff and the HEC security officer are issued the security code to this area. Programmer access to the HEC database is restricted only to those AIS staff whose official duties require that level of access.
  6. On-line data reside on magnetic media in the HEC computer room that is highly secured. Backup media are stored in a combination lock safe in a secured room within the same building; only information system staff has access to the safe. On a weekly basis, backup media are stored in off-site storage by a media storage vendor. The vendor picks up and returns the media in a locked storage container; vendor personnel do not have key access to the locked container.
  7. Any sensitive information that may be downloaded to personal computer files in the HEC or printed to hard copy format is provided the same level of security as the electronic records. All paper documents and informal notations containing sensitive data are shredded prior to disposal. All magnetic media (primary computer system) and personal computer disks are degaussed prior to disposal or release off site for repair.
  8. The IVM program of the HEC requires that HEC obtain veteran and spouse earned and unearned income data from IRS and SSA. The HEC complies fully with the Tax Information Security Guidelines for Federal, State and Local Agencies (Department of the Treasury IRS Publication 1075) as it relates to access and protection of such data. These guidelines define the management of magnetic media, paper and electronic records, and physical and electronic security of the data.
  9. All new HEC employees receive initial information security training with refresher training provided to all employees on an annual basis. An annual information security audit is performed by the VA Regional Information Security Officer. This annual audit includes the primary computer information system, the telecommunication system, and local area networks. Additionally, the IRS performs periodic on-site inspections to ensure the appropriate level of security is maintained for Federal tax data. The HEC Information Security Officer and AIS administrator additionally perform periodic reviews to ensure security of the system and databases.
  10. Identification codes and codes used to access HEC automated communications systems and records systems, as well as security profiles and possible security violations, are maintained on magnetic media in a secure environment at the Center. For contingency purposes, database back-ups on removable magnetic media are stored off-site by a licensed and bonded media storage vendor.
  11. Neither field offices, the contractor administering the Call Center for VHA, nor the NED will receive FTI from HEC.
  12. Contractor working spaces and record storage areas are secured during all business hours, as well as during non-business hours. All entrance doors require an electronic passcard for entry when unlocked, and entry doors are locked outside normal business hours. Electronic passcards are issued by the contractor's Security Officer. Visitor entry is controlled by the contractor's staff by door release and/or door escort. The building is equipped with an intrusion alarm system for non-business hours, and this system is monitored by a security service vendor.
  13. Strict control measures are enforced to ensure that access to and disclosure from all records including electronic files and veteran specific data elements in the contractor veteran call tracking database are limited to contractor's employees whose official duties warrant access to those files. The automated record system recognizes authorized users by keyboard entry of a series of unique passwords. Once the employee is logged onto the system, access to files is controlled by discrete menus, assigned by the contractor computer system administration staff upon request from the employee's supervisor and the employee's demonstrated need to access the data to perform assigned duties. A number of other security measures are implemented to enhance security of electronic records (automatic timeout after short period of inactivity, device locking after pre- set number of invalid logon attempts, etc.). Employees are required to sign a user security policy agreement acknowledging their understanding of confidentiality requirements, and all employees receive annual training on information security. Access is deactivated when no longer required for official duties.
  14. Contractors and subcontractors will adhere to the same safeguards and security requirements as the HEC is held to.

Retention and disposal:
Depending on the record medium, records are destroyed by either shredding or degaussing. Paper records are destroyed after they have been accurately scanned on optical disks. Optical disks or other electronic medium are deleted when all phases of the veteran's appeal rights have ended (ten years after the income year for which the means test verification was conducted). Tapes received from SSA and IRS are destroyed 30 days after the data have been validated as being a true copy of the original data. Summary reports and other output reports are destroyed when no longer needed for current operation. Records are disposed of in accordance with the records retention standards approved by the Archivist of the United States, National Archives and Records Administration, and published in the VHA Records Control Schedule 10-1. Regardless of the record medium, no records will be retired to a Federal records center.

System manager(s) and address:
Official responsible for policies and procedures: Chief Information Officer (19), VA Central Office, 810 Vermont Avenue, NW., Washington, DC 20420. Official maintaining the system: Director, Health Eligibility Center, 1644 Tullie Circle, Atlanta, Georgia 30329.

Notification procedure:
An individual who wishes to determine whether a record is being maintained in this system under his or her name or other personal identifier or wants to determine the contents of such record, should submit a written request or apply in person to the Health Eligibility Center. All inquiries must reasonably identify the records requested. Inquiries should include the individual's full name, social security number and return address.

Record access procedures:
Individuals seeking information regarding access to and contesting of HEC records may write to the Director, HEC, 1644 Tullie Circle, Atlanta, Georgia 30329.

Contesting record procedures:
(See Record Access procedures above).

Record source categories:
Information in the systems of records may be provided by the veteran; veteran's spouse or other family members or accredited representatives or friends; employers and other payers of earned income; financial institutions and other payers of unearned income; health insurance carriers; other Federal agencies; ``Patient Medical Records--VA'' (24VA136) system of records; Veterans Benefits Administration automated record systems (including Veterans and Beneficiaries Identification and Records Location Subsystem--VA (38VA23); and the ``Compensation, Pension, Education and Rehabilitation Records--VA'' (58VA21/22).


Back to Index




[back to top]