CHAPTER 57—RECORDS AND INVESTIGATIONS

SUBCHAPTER I—RECORDS

        

SUBCHAPTER II—INVESTIGATIONS

        

SUBCHAPTER III—INFORMATION SECURITY

        

Editorial Notes

Amendments

2015—Pub. L. 114–31, §2(c), July 20, 2015, 129 Stat. 430, added item 5706.

2006—Pub. L. 109–461, title IX, §902(b), Dec. 22, 2006, 120 Stat. 3460, added item for subchapter III and items 5721 to 5728.

1991—Pub. L. 102–54, §14(d)(5)(B), (6)(C), June 13, 1991, 105 Stat. 286, amended table of sections at beginning of chapter as in effect immediately before the enactment of Pub. L. 102–40 by substituting "subpoenas" for "subpenas" in item 3311 and "subpoena" for "subpena" in item 3313.

Pub. L. 102–40, title IV, §402(c)(1), May 7, 1991, 105 Stat. 239, renumbered items 3301 to 3313 as 5701 to 5713, respectively.

1980—Pub. L. 96–385, title V, §505(b), Oct. 7, 1980, 94 Stat. 1537, added item 3305.

Statutory Notes and Related Subsidiaries

Removal of Dependents From Award of Compensation or Pension

Pub. L. 116–315, title II, §2008, Jan. 5, 2021, 134 Stat. 4977, provided that: "Beginning not later than 90 days after the date of the enactment of this Act [Jan. 5, 2021], the Secretary of Veterans Affairs shall ensure that—

"(1) the recipient of an award of compensation or pension may remove any dependent from an award of compensation or pension to the individual using the eBenefits system of the Department of Veterans Affairs, or a successor system; and

"(2) such removal takes effect not later than 60 days after the date on which the recipient elects such removal."

Updating Dependent Information

Pub. L. 115–407, title V, §502, Dec. 31, 2018, 132 Stat. 5376, provided that: "The Secretary of Veterans Affairs shall make such changes to such information technology systems of the Department of Veterans Affairs, including the eBenefits system or successor system, as may be necessary so that whenever the Secretary records in such systems information about a dependent of a person, the person is able to review and revise such information."

Oversight of Electronic Health Record Modernization Program

Pub. L. 115–407, title V, §503, Dec. 31, 2018, 132 Stat. 5376, as amended by Pub. L. 117–154, §2(a), June 23, 2022, 136 Stat. 1303, provided that:

"(a) Program Documents.—Not later than 30 days after the date of the enactment of this Act [Dec. 31, 2018], the Secretary of Veterans Affairs shall submit to the appropriate congressional committees the following documents concerning the Electronic Health Record Modernization Program:

"(1) Integrated Master Plan.

"(2) Integrated Master Schedule.

"(3) Program Management Plan.

"(4) Annual and lifecycle cost estimates, including, at a minimum, cost elements relating to—

"(A) Federal Government labor;

"(B) contractor labor;

"(C) hardware;

"(D) software; and

"(E) testing and evaluation.

"(5) Cost baseline.

"(6) Risk Management Plan.

"(7) Health IT Strategic Architecture Plan.

"(8) Transition Plan for implementing updated architecture.

"(9) Data Migration Plan.

"(10) System and Data Security Plan.

"(11) Application Implementation Plan.

"(12) System Design Documents.

"(13) Legacy Veterans Information Systems and Technology Architecture Standardization, Security Enhancement, and Consolidation Project Plan.

"(14) Health Data Interoperability Management Plan.

"(15) Community Care Vision and Implementation Plan, including milestones and a detailed description of how complete interoperability with non-Department health care providers will be achieved.

"(b) Quarterly Updates.—Not later than 30 days after the end of each fiscal quarter during the period beginning with the fiscal quarter in which this Act is enacted and ending on the date on which the Electronic Health Record Modernization Program is completed, the Secretary shall submit to the appropriate congressional committees the most recent updated versions, if any exist, of the following documents:

"(1) Integrated Master Schedule.

"(2) Program Management Plan, including any written Program Management Review material developed for the Program Management Plan during the fiscal quarter covered by the submission.

"(3) Each document described in subsection (a)(4).

"(4) Performance Baseline Report for the fiscal quarter covered by the submission or for the fiscal quarter ending the fiscal year prior to the submission.

"(5) Budget Reconciliation Report.

"(6) Risk Management Plan and Risk Register.

"(c) Contracts.—Not later than 5 days after awarding a contract, order, or agreement, including any modifications thereto, under the Electronic Health Record Modernization Program, the Secretary shall submit to the appropriate congressional committees a copy of the entire such contract, order, agreement, or modification.

"(d) Notification.—

"(1) Requirement.—Not later than 10 days after an event described in paragraph (2) occurs, the Secretary shall notify the appropriate congressional committees of such occurrence, including a description of the event and an explanation for why such event occurred.

"(2) Event described.—An event described in this paragraph is any of the following events regarding the Electronic Health Record Modernization Program:

"(A) The delay of any milestone or deliverable by 30 or more days.

"(B) A request for equitable adjustment, equitable adjustment, [sic] or change order exceeding $1,000,000 (as such terms are defined in the Federal Acquisition Regulation).

"(C) The submission of any protest, claim, or dispute, and the resolution of any protest, claim, or dispute (as such terms are defined in the Federal Acquisition Regulation).

"(D) A loss of clinical or other data.

"(E) A breach of patient privacy, including any—

"(i) disclosure of protected health information that is not permitted under regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104–191; 42 U.S.C. 1320d–2 note); and

"(ii) breach of sensitive personal information (as defined in section 5727 of title 38, United States Code).

"(e) Quarterly Reports.—

"(1) Reports on costs of ehrm program.—Not later than 90 days after the date of the enactment of the VA Electronic Health Record Transparency Act of 2021 [June 23, 2022], and every 30 days after the last day of each fiscal quarter thereafter until the termination date specified in paragraph (3), the Secretary of Veterans Affairs shall submit to the Committees on Veterans' Affairs of the Senate and House of Representatives a report on the costs of the Electronic Health Record Modernization program of the Department of Veterans Affairs. Each such report shall include, for the period covered by the report and for the total period beginning on the date of the enactment of the VA Electronic Health Record Transparency Act of 2021 and ending on the date of the submittal of the report, a description of all actual expenses of, and driven by, such program, including any such expenses paid using—

"(A) any funds appropriated for the Department of Veterans Affairs, for any source or account, expended by any organizational element of the Department or by the Federal Electronic Health Record Modernization Office for the Electronic Health Record Modernization Program;

"(B) any funds, from any source or account, expended by any organizational element of the Department for physical or technology infrastructure modifications, enhancements, improvements, or expansions at a facility of the Department necessitated by, or related or pertaining to, the Electronic Health Record Modernization Program; and

"(C) any funds, from any source or account, expended by any organizational element of the Department or by the Federal Electronic Health Record Modernization Office for consultants, support contractors, or experts related or pertaining to the Electronic Health Record Modernization Program.

"(2) Reports on performance metrics and outcomes.—Not later than 90 days after the date of the enactment of the VA Electronic Health Record Transparency Act of 2021, and every 30 days after the last day of each fiscal quarter thereafter until the termination date specified in paragraph (3), the Secretary of Veterans Affairs shall submit to the Committees on Veterans' Affairs of the Senate and House of Representatives a report on the performance metrics and outcomes of the Electronic Health Record Modernization Program. Each such report shall include, for the period covered by the report—

"(A) a list of the quality, performance, safety, or value metrics, key performance indicators, and other diagnostic or evaluation criteria in use to assess the Electronic Health Record Modernization Program and the electronic health record system, in general and at individual facilities, with respect to veterans, employees of the Department, and Departmental operations;

"(B) an explanation of any change to any of such metrics, indicators, and criteria compared to the metrics, indicators, and criteria included in any previous report submitted under this paragraph;

"(C) the data supporting or demonstrating each such metric, indicator, and criteria compared to the data supporting or demonstrating such metric, indicator, or criteria as included in the previous report submitted under this paragraph; and

"(D) a list of patient safety reports, incidents, alerts, or disclosures at each facility of the Department where the electronic health record system has been implemented.

"(3) Termination date.—The requirement to submit a report under paragraph (1) shall terminate on the date that is 90 days after the date on which the Secretary submits to the Committees on Veterans' Affairs of the Senate and House of Representatives certification that the Electronic Health Record Modernization program has been fully implemented.

"(f) Definitions.—In this section:

"(1) The term 'appropriate congressional committees' means—

"(A) the Committees on Veterans' Affairs of the House of Representatives and the Senate; and

"(B) the Committees on Appropriations of the House of Representatives and the Senate.

"(2) The term 'Electronic Health Record Modernization Program' means—

"(A) any activities by the Department of Veterans Affairs to procure or implement an electronic health or medical record system to replace any or all of the Veterans Information Systems and Technology Architecture, the Computerized Patient Record System, the Joint Legacy Viewer, or the Enterprise Health Management Platform; and

"(B) any contracts or agreements entered into by the Secretary of Veterans Affairs to carry out, support, or analyze the activities under subparagraph (A).

"(3) The term 'electronic health record system' means the electronic health record system implemented pursuant to the Electronic Health Record Modernization Program.

"(4) The term 'Federal Electronic Health Record Management Office' means the office established under section 1635(b) of the Wounded Warrior Act (title XVI of Public Law 110–181; 10 U.S.C. 1071 note).

"(5) The term 'facility of the Department' includes a joint facility of the Department of Veterans Affairs and the Department of Defense."

Discontinuation of Use of Social Security Numbers To Identify Individuals in Department of Veterans Affairs Information Systems

Pub. L. 118–42, div. A, title II, §237, Mar. 9, 2024, 138 Stat. 55, provided that:

"(a) The Secretary of Veterans Affairs, in consultation with the Secretary of Defense and the Secretary of Labor, shall discontinue collecting and using Social Security account numbers to authenticate individuals in all information systems of the Department of Veterans Affairs for all individuals not later than September 30, 2024.

"(b) The Secretary of Veterans Affairs may collect and use a Social Security account number to identify an individual, in accordance with section 552a of title 5, United States Code, in an information system of the Department of Veterans Affairs if and only if the use of such number is necessary to:

"(1) obtain or provide information the Secretary requires from an information system that is not under the jurisdiction of the Secretary;

"(2) comply with a law, regulation, or court order;

"(3) perform anti-fraud activities; or

"(4) identify a specific individual where no adequate substitute is available.

"(c) The matter in subsections (a) and (b) shall supersede section 237 of division J of Public Law 117–328 [see below]."

Similar provisions were contained in the following acts:

Pub. L. 117–328, div. J, title II, §237, Dec. 29, 2022, 136 Stat. 4965.

Pub. L. 117–103, div. J, title II, §237, Mar. 15, 2022, 136 Stat. 556.

Pub. L. 116–260, div. J, title II, §237, Dec. 27, 2020, 134 Stat. 1681.

Pub. L. 116–94, div. F, title II, §238, Dec. 20, 2019, 133 Stat. 2804.

Pub. L. 115–244, div. C, title II, §239, Sept. 21, 2018, 132 Stat. 2972.

Pub. L. 115–141, div. J, title II, §240, Mar. 23, 2018, 132 Stat. 822.

SUBCHAPTER I—RECORDS

§5701. Confidential nature of claims

(a) All files, records, reports, and other papers and documents pertaining to any claim under any of the laws administered by the Secretary and the names and addresses of present or former members of the Armed Forces, and their dependents, in the possession of the Department shall be confidential and privileged, and no disclosure thereof shall be made except as provided in this section.

(b) The Secretary shall make disclosure of such files, records, reports, and other papers and documents as are described in subsection (a) of this section as follows:

(1) To a claimant or duly authorized agent or representative of a claimant as to matters concerning the claimant alone when, in the judgment of the Secretary, such disclosure would not be injurious to the physical or mental health of the claimant and to an independent medical expert or experts for an advisory opinion pursuant to section 5109 of this title.

(2) When required by process of a United States court to be produced in any suit or proceeding therein pending.

(3) When required by any department or other agency of the United States Government.

(4) In all proceedings in the nature of an inquest into the mental competency of a claimant.

(5) In any suit or other judicial proceeding when in the judgment of the Secretary such disclosure is deemed necessary and proper.

(6) In connection with any proceeding for the collection of an amount owed to the United States by virtue of a person's participation in any benefit program administered by the Secretary when in the judgment of the Secretary such disclosure is deemed necessary and proper.

(c)(1) The amount of any payment made by the Secretary to any person receiving benefits under a program administered by the Secretary shall be made known to any person who applies for such information.

(2) Any appraisal report or certificate of reasonable value submitted to or prepared by the Secretary in connection with any loan guaranteed, insured, or made under chapter 37 of this title shall be made available to any person who applies for such report or certificate.

(3) Subject to the approval of the President, the Secretary may publish at any time and in any manner any or all information of record pertaining to any claim filed with the Secretary if the Secretary determines that the public interest warrants or requires such publication.

(d) The Secretary as a matter of discretion may authorize an inspection of Department records by duly authorized representatives of recognized organizations.

(e) Except as otherwise specifically provided in this section with respect to certain information, the Secretary may release information, statistics, or reports to individuals or organizations when in the Secretary's judgment such release would serve a useful purpose.

(f) The Secretary may, pursuant to regulations the Secretary shall prescribe, release the name or address, or both, of any present or former member of the Armed Forces, or a dependent of a present or former member of the Armed Forces, (1) to any nonprofit organization if the release is directly connected with the conduct of programs and the utilization of benefits under this title, or (2) to any criminal or civil law enforcement governmental agency or instrumentality charged under applicable law with the protection of the public health or safety if a qualified representative of such agency or instrumentality has made a written request that such name or address be provided for a purpose authorized by law. Any organization or member thereof or other person who, knowing that the use of any name or address released by the Secretary pursuant to the preceding sentence is limited to the purpose specified in such sentence, willfully uses such name or address for a purpose other than those so specified, shall be guilty of a misdemeanor and be fined not more than $5,000 in the case of a first offense and not more than $20,000 in the case of any subsequent offense.

(g)(1) Subject to the provisions of this subsection, and under regulations which the Secretary shall prescribe, the Secretary may release the name or address, or both, of any person who is a present or former member of the Armed Forces, or who is a dependent of a present or former member of the Armed Forces, to a consumer reporting agency if the release of such information is necessary for a purpose described in paragraph (2) of this subsection.

(2) A release of information under paragraph (1) of this subsection concerning a person described in such paragraph may be made for the purpose of—

(A) locating such a person—

(i) who has been administratively determined to be indebted to the United States by virtue of the person's participation in a benefits program administered by the Secretary; or

(ii) if the Secretary has determined under such regulations that (I) it is necessary to locate such person in order to conduct a study pursuant to section 527 of this title or a study required by any other provision of law, and (II) all reasonable steps have been taken to assure that the release of such information to such reporting agency will not have an adverse effect on such person; or

(B) obtaining a consumer report in order to assess the ability of a person described in subparagraph (A)(i) of this paragraph to repay the indebtedness of such person to the United States, but the Secretary may release the name or address of such person for the purpose stated in this clause only if the Secretary determines under such regulations that such person has failed to respond appropriately to administrative efforts to collect such indebtedness.

(3) The Secretary may also release to a consumer reporting agency, for the purposes specified in subparagraph (A) or (B) of paragraph (2) of this subsection, such other information as the Secretary determines under such regulations is reasonably necessary to identify a person described in such paragraph, except that the Secretary may not release to a consumer reporting agency any information which indicates any indebtedness on the part of such person to the United States or any information which reflects adversely on such person. Before releasing any information under this paragraph, the Secretary shall, under such regulations, take reasonable steps to provide for the protection of the personal privacy of persons about whom information is proposed to be released under this paragraph.

(4)(A) If the Secretary determines, under regulations which the Secretary shall prescribe, that a person described in paragraph (1) of this subsection has failed to respond appropriately to reasonable administrative efforts to collect an indebtedness of such person described in paragraph (2)(A)(i) of this subsection, the Secretary may release information concerning the indebtedness, including the name and address of such person, to a consumer reporting agency for the purpose of making such information available for inclusion in consumer reports regarding such person and, if necessary, for the purpose of locating such person, if—

(i) the Secretary has (I) made reasonable efforts to notify such person of such person's right to dispute through prescribed administrative processes the existence or amount of such indebtedness and of such person's right to request a waiver of such indebtedness under section 5302 of this title, (II) afforded such person a reasonable opportunity to exercise such rights, and (III) made a determination with respect to any such dispute or request; and

(ii) thirty calendar days have elapsed after the day on which the Secretary has made a determination that reasonable efforts have been made to notify such person (I) that the Secretary intends to release such information for such purpose or purposes, and (II) that, upon the request of such person, the Secretary shall inform such person of whether such information has been so released and of the name and address of each consumer reporting agency to which such information was released by the Secretary and of the specific information so released.

(B) After release of any information under subparagraph (A) of this paragraph concerning the indebtedness of any person, the Secretary shall promptly notify—

(i) each consumer reporting agency to which such information has been released by the Secretary; and

(ii) each consumer reporting agency described in subsection (i)(3)(B)(i) of this section to which such information has been transmitted by the Secretary through a consumer reporting agency described in subsection (i)(3)(B)(ii)(I) of this section,

of any substantial change in the status or amount of such indebtedness and, upon the request of any such consumer reporting agency for verification of any or all information so released, promptly verify or correct, as appropriate, such information. The Secretary shall also, after the release of such information, inform such person, upon the request of such person, of the name and address of each consumer reporting agency described in clause (i) or (ii) of this subparagraph to which such information was released or transmitted by the Secretary and of the specific information so released or transmitted.

(h)(1) Under regulations which the Secretary shall prescribe, the Secretary may release the name or address, or both, of any person who is a present or former member of the Armed Forces, or who is a dependent of a present or former member of the Armed Forces (and other information relating to the identity of such person), to any person in a category of persons described in such regulations and specified in such regulations as a category of persons to whom such information may be released, if the release of such information is necessary for a purpose described in paragraph (2) of this subsection.

(2) A release of information under paragraph (1) of this subsection may be made for the purpose of—

(A) determining the creditworthiness, credit capacity, income, or financial resources of a person who has (i) applied for any benefit under chapter 37 of this title, or (ii) submitted an offer to the Secretary for the purchase of property acquired by the Secretary under section 3720(a)(5) of this title;

(B) verifying, either before or after the Secretary has approved a person's application for assistance in the form of a loan guaranty or loan insurance under chapter 37 of this title, information submitted by a lender to the Secretary regarding the creditworthiness, credit capacity, income, or financial resources of such person;

(C) offering for sale or other disposition by the Secretary, pursuant to section 3720 of this title, any loan or installment sale contract owned or held by the Secretary; or

(D) providing assistance to any applicant for benefits under chapter 37 of this title or administering such benefits if the Secretary promptly records the fact of such release in appropriate records pertaining to the person concerning whom such release was made.

(i)(1) No contract entered into for any of the purposes of subsection (g) or (h) of this section, and no action taken pursuant to any such contract or either such subsection, shall result in the application of section 552a of title 5 to any consumer reporting agency or any employee of a consumer reporting agency.

(2) The Secretary shall take reasonable steps to provide for the protection of the personal privacy of persons about whom information is disclosed under subsection (g) or (h) of this section.

(3) For the purposes of this subsection and of subsection (g) of this section—

(A) The term "consumer report" has the meaning provided such term in subsection (d) of section 603 of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)).

(B) The term "consumer reporting agency" means—

(i) a consumer reporting agency as such term is defined in subsection (f) of section 603 of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)), or

(ii) any person who, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of (I) obtaining credit or other information on consumers for the purpose of furnishing such information to consumer reporting agencies (as defined in clause (i) of this paragraph), or (II) serving as a marketing agent under arrangements enabling third parties to obtain such information from such reporting agencies.

(j) Except as provided in subsection (i)(1) of this section, any disclosure made pursuant to this section shall be made in accordance with the provisions of section 552a of title 5.

(k)(1)(A) Under regulations that the Secretary shall prescribe, the Secretary may disclose the name and address of any individual described in subparagraph (C) to an entity described in subparagraph (B) in order to facilitate the determination by such entity whether the individual is, or after death will be, a suitable organ, tissue, or eye donor if—

(i) the individual is near death (as determined by the Secretary) or is deceased; and

(ii) the disclosure is permitted under regulations promulgated pursuant to section 264 of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note).

(B) An entity described in this subparagraph is—

(i) an organ procurement organization, including eye and tissue banks; or

(ii) an entity that the Secretary has determined—

(I) is substantially similar in function, professionalism, and reliability to an organ procurement organization; and

(II) should be treated for purposes of this subsection in the same manner as an organ procurement organization.

(C) An individual described in this subparagraph is—

(i) a veteran; or

(ii) a dependent of veteran.

(2) In this subsection, the term "organ procurement organization" has the meaning given the term "qualified organ procurement organization" in section 371(b) of the Public Health Service Act (42 U.S.C. 273(b)).

(l)(1) Under regulations the Secretary shall prescribe, the Secretary shall disclose information about a covered individual to a State controlled substance monitoring program, including a program approved by the Secretary of Health and Human Services under section 399O of the Public Health Service Act (42 U.S.C. 280g–3), to the extent necessary to prevent misuse and diversion of prescription medicines.

(2) In this subsection, a "covered individual" is an individual who is dispensed medication prescribed by an employee of the Department or by a non-Department provider authorized to prescribe such medication by the Department.

(Pub. L. 85–857, Sept. 2, 1958, 72 Stat. 1236, §3301; Pub. L. 87–671, §2, Sept. 19, 1962, 76 Stat. 557; Pub. L. 91–24, §11, June 11, 1969, 83 Stat. 34; Pub. L. 92–540, title IV, §412, Oct. 24, 1972, 86 Stat. 1093; Pub. L. 94–321, §1(a), June 29, 1976, 90 Stat. 713; Pub. L. 94–581, title II, §210(b), Oct. 21, 1976, 90 Stat. 2863; Pub. L. 96–466, title VI, §606, Oct. 17, 1980, 94 Stat. 2212; Pub. L. 101–94, title III, §302(a), Aug. 16, 1989, 103 Stat. 628; renumbered §5701 and amended Pub. L. 102–40, title IV, §402(b)(1), (d)(1), May 7, 1991, 105 Stat. 238, 239; Pub. L. 102–83, §§2(c)(6), 4(a)(1), (2)(A)(xi), (3), (4), (b)(1), (2)(E), 5(c)(1), Aug. 6, 1991, 105 Stat. 402–406; Pub. L. 107–14, §8(a)(13), June 5, 2001, 115 Stat. 35; Pub. L. 109–461, title II, §204(a), Dec. 22, 2006, 120 Stat. 3411; Pub. L. 112–74, div. H, title II, §230(a), Dec. 23, 2011, 125 Stat. 1159; Pub. L. 114–198, title IX, §914, July 22, 2016, 130 Stat. 765; Pub. L. 114–223, div. A, title II, §246, Sept. 29, 2016, 130 Stat. 884; Pub. L. 115–55, §2(u)(2), Aug. 23, 2017, 131 Stat. 1113; Pub. L. 115–86, §2, Nov. 21, 2017, 131 Stat. 1276.)

Editorial Notes

References in Text

Section 264 of the Health Insurance Portability and Accountability Act of 1996, referred to in subsec. (k)(1)(A)(ii), is section 264 of title II of Pub. L. 104–191, Aug. 21, 1996, 110 Stat. 2033, which is set out as a note under section 1320d–2 of Title 42, The Public Health and Welfare.

Amendments

2017—Subsec. (b)(1). Pub. L. 115–55 struck out "or 7109" after "section 5109".

Subsec. (l). Pub. L. 115–86 designated existing provisions as par. (1), substituted "about a covered individual" for "about a veteran or the dependent of a veteran", and added par. (2).

2016—Subsec. (l). Pub. L. 114–198 and Pub. L. 114–223 amended subsec. (l) identically, substituting "shall disclose" for "may disclose".

2011—Subsec. (l). Pub. L. 112–74 added subsec. (l).

2006—Subsec. (k). Pub. L. 109–461 added subsec. (k).

2001—Subsec. (g)(2)(B). Pub. L. 107–14 substituted "subparagraph (A)(i)" for "clause (A)(i)".

Subsec. (g)(3). Pub. L. 107–14 substituted "subparagraph (A) or (B)" for "clause (A) or (B)".

1991—Pub. L. 102–40, §402(b)(1), renumbered section 3301 of this title as this section.

Subsec. (a). Pub. L. 102–83, §4(a)(3), (4), substituted "Department" for "Veterans' Administration".

Pub. L. 102–83, §4(a)(1), substituted "administered by the Secretary" for "administered by the Veterans' Administration".

Subsec. (b). Pub. L. 102–83, §4(b)(1), (2)(E), substituted "Secretary" for "Administrator" in introductory provisions and in pars. (1), (5), and (6).

Pub. L. 102–83, §4(a)(1), substituted "administered by the Secretary" for "administered by the Veterans' Administration" in par. (6).

Pub. L. 102–40, §402(d)(1), substituted "5109" and "7109" for "3009" and "4009", respectively, in par. (1).

Subsec. (c)(1). Pub. L. 102–83, §4(a)(2)(A)(xi), substituted "Secretary" for first reference to "Veterans' Administration".

Pub. L. 102–83, §4(a)(1), substituted "administered by the Secretary" for "administered by the Veterans' Administration".

Subsec. (c)(2). Pub. L. 102–83, §4(a)(2)(A)(xi), substituted "Secretary" for "Veterans' Administration".

Subsec. (c)(3). Pub. L. 102–83, §4(b)(1), (2)(E), substituted "Secretary" for "Administrator" in two places.

Pub. L. 102–83, §4(a)(2)(A)(xi), substituted "Secretary" for "Veterans' Administration" after "with the".

Subsec. (d). Pub. L. 102–83, §4(b)(1), (2)(E), substituted "Secretary" for "Administrator".

Pub. L. 102–83, §4(a)(3), (4), substituted "Department" for "Veterans' Administration".

Subsec. (e). Pub. L. 102–83, §4(b)(1), (2)(E), substituted "Secretary" for "Administrator" and "Secretary's" for "Administrator's".

Subsec. (f). Pub. L. 102–83, §4(b)(1), (2)(E), substituted "Secretary" for "Administrator" wherever appearing.

Subsec. (g)(1). Pub. L. 102–83, §4(b)(1), (2)(E), substituted "Secretary" for "Administrator" in two places.

Subsec. (g)(2)(A)(i). Pub. L. 102–83, §4(a)(1), substituted "administered by the Secretary" for "administered by the Veterans' Administration".

Subsec. (g)(2)(A)(ii). Pub. L. 102–83, §4(b)(1), (2)(E), substituted "Secretary" for "Administrator".

Pub. L. 102–83, §2(c)(6), substituted "section 527" for "section 219".

Subsec. (g)(2)(B), (3), (4). Pub. L. 102–83, §4(b)(1), (2)(E), substituted "Secretary" for "Administrator" wherever appearing.

Subsec. (g)(4)(A)(i). Pub. L. 102–40, §402(d)(1), substituted "5302" for "3102".

Subsec. (h). Pub. L. 102–83, §5(c)(1), substituted "3720(a)(5)" for "1820(a)(5)" in par. (2)(A) and "3720" for "1820" in par. (2)(C).

Pub. L. 102–83, §4(b)(1), (2)(E), substituted "Secretary" for "Administrator" wherever appearing.

Subsec. (i)(2). Pub. L. 102–83, §4(b)(1), (2)(E), substituted "Secretary" for "Administrator".

1989—Subsec. (b)(1). Pub. L. 101–94 substituted "section 3009 or 4009" for "section 4009".

1980—Subsec. (a). Pub. L. 96–466, §606(a), substituted "members of the Armed Forces" for "personnel of the armed services".

Subsec. (b)(6). Pub. L. 96–466, §606(b), added par. (6).

Subsec. (c). Pub. L. 96–466, §606(c), designated existing provisions as pars. (1) and (3) with minor changes in language, and in par. (1) as so designated, substituted reference to the amount of any payment made by the Veterans' Administration to any person receiving benefits under a program administered by the Veterans' Administration for reference to the amount of pension, compensation, or dependency and indemnity compensation of any beneficiary, and added par. (2).

Subsec. (f). Pub. L. 96–466, §606(d), substituted "name or address, or both, of any present or former member of the Armed Forces, or a dependent of a present or former member of the Armed Forces" for "names or addresses, or both, of any present or former members of the Armed Forces, and/or their dependents" and "written request that such name or address" for "written request that such names or addresses".

Subsecs. (g) to (i). Pub. L. 96–466, §606(e), added subsecs. (g) to (i). Former subsec. (g) redesignated (j).

Subsec. (j). Pub. L. 96–466, §606(e), (f), redesignated former subsec. (g) as (j) and substituted "Except as provided in subsection (i)(1) of this section, any" for "Any".

1976—Subsec. (a). Pub. L. 94–321, §1(a)(1), (2), designated introductory par. as subsec. (a) and as so designated, substituted "provided in this section." for "follows:".

Subsec. (b). Pub. L. 94–321, §1(a)(2), added subsec. (b). Pars. (1) to (5), formerly set out following introductory par., became part of such subsec. (b).

Subsec. (b)(1). Pub. L. 94–581, §210(b)(1), substituted "claimant or duly authorized agent or representative of a claimant as to matters concerning the claimant alone" for "claimant or his duly authorized agent or representative as to matters concerning himself alone".

Subsec. (c). Pub. L. 94–321, §1(a)(3), redesignated par. (6) as subsec. (c).

Subsec. (d). Pub. L. 94–581, §210(b)(2), substituted "as a matter of discretion" for "in his discretion".

Pub. L. 94–321, §1(a)(3), redesignated par. (7) as subsec. (d).

Subsec. (e). Pub. L. 94–581, §210(b)(3), substituted "in the Administrator's judgment" for "in his judgment".

Pub. L. 94–321, §1(a)(3), (4), redesignated par. (8) as subsec. (e) and substituted "Except as otherwise specifically provided in this section with respect to certain information, the" for "The".

Subsec. (f). Pub. L. 94–321, §1(a)(3), (5), redesignated par. (9) as subsec. (f) and inserted provision relating to the release of information pursuant to this subsection to criminal or civil law enforcement governmental agencies and increased the penalty for misuse of such information to the status of a misdemeanor, with a fine of not more than $5,000 for the first offense and not more than $20,000 for any subsequent offense.

Subsec. (g). Pub. L. 94–321, §1(a)(5), added subsec. (g).

1972—Pub. L. 92–540 in introductory provision inserted reference to the names and addresses of present or former personnel of the armed forces, and their dependents, in the possession of the Veterans' Administration, and added par. (9).

1969—Par. (1). Pub. L. 91–24 substituted "the claimant and to an independent" for "the claimant. And to an independent".

1962—Par. (1). Pub. L. 87–671 inserted provisions authorizing disclosure to an independent medical expert or experts for an advisory opinion pursuant to section 4009 of this title.

Statutory Notes and Related Subsidiaries

Effective Date of 2017 Amendment

Amendment by Pub. L. 115–55 applicable to all claims for which the Secretary of Veterans Affairs provides notice of a decision under section 5104 of this title on or after the later of 540 days after Aug. 23, 2017, or 30 days after the date on which the Secretary submits to Congress a certification of certain capabilities of the Department of Veterans Affairs to carry out the new appeals system established by Pub. L. 115–55 and to address appeals of decisions on legacy claims, with provision for early applicability of the new appeals system to certain claims, see section 2(x) of Pub. L. 115–55, set out as a note under section 101 of this title, and bracketed note thereunder.

Effective Date of 1989 Amendment

Pub. L. 101–94, title III, §302(c), Aug. 16, 1989, 103 Stat. 628, provided that: "The amendments made by subsections (a) and (b) [amending this section and section 4092 [now 7292] of this title] shall take effect as if included in the Veterans' Judicial Review Act [div. A of Pub. L. 100–687]."

Effective Date of 1980 Amendment

Amendment by Pub. L. 96–466 effective Oct. 1, 1980, except as otherwise specifically provided, see section 802(f) of Pub. L. 96–466, set out as an Effective Date note under section 5314 of this title.

Effective Date of 1976 Amendments

Amendment by Pub. L. 94–581 effective Oct. 21, 1976, see section 211 of Pub. L. 94–581, set out as a note under section 111 of this title.

Pub. L. 94–321, §1(b), June 29, 1976, 90 Stat. 714, provided that: "The amendments made by subsection (a) of this section with respect to subsection (f) (as redesignated by subsection (a)(3) of this section) of section 3301 [now 5701] of title 38, United States Code (except for the increase in criminal penalties for a violation of the second sentence of such subsection (f)), shall be effective with respect to names or addresses released on and after October 24, 1972."

Effective Date of 1962 Amendment

Pub. L. 87–671, §4, Sept. 19, 1962, 76 Stat. 557, provided that: "The amendments made by this Act [enacting section 4009 [now 7109] of this title and amending this section] shall be effective January 1, 1963."

Regulations

Pub. L. 109–461, title II, §204(c), Dec. 22, 2006, 120 Stat. 3411, provided that: "The Secretary of Veterans Affairs shall prescribe regulations under subsection (k) of section 5701 of title 38, United States Code, as added by subsection (a), not later than 180 days after the date of the enactment of this Act [Dec. 22, 2006]."

§5702. Furnishing of records

(a) Any person desiring a copy of any record, paper, and so forth, in the custody of the Secretary that may be disclosed under section 5701 of this title must submit to the Secretary an application in writing, including an electronic request submitted through the website or online tool established under subsection (b), for such copy. The application shall state specifically—

(1) the particular record, paper, and so forth, a copy of which is desired and whether certified or uncertified;

(2) the purpose for which such copy is desired to be used; and

(3) the format in which such copy is desired, including whether in printed form or by downloadable file.

(b)(1) The Secretary shall establish and maintain a secure website or online tool for a claimant or a duly recognized agent or representative of that claimant to submit an electronic request for such records.

(2) The Secretary, upon receipt of a valid request made through the website or online tool established under paragraph (1), shall provide to the requestor—

(A) not later than 10 days after receipt, confirmation of such receipt; and

(B) not later than 120 days after receipt, such records requested in the form selected by the requestor.

(c) The Secretary may establish a schedule of fees for copies and certification of such records.

(Pub. L. 85–857, Sept. 2, 1958, 72 Stat. 1236, §3302; renumbered §5702 and amended Pub. L. 102–40, title IV, §402(b)(1), (d)(1), May 7, 1991, 105 Stat. 238, 239; Pub. L. 102–83, §4(a)(2)(A)(xii), (b)(1), (2)(E), Aug. 6, 1991, 105 Stat. 403–405; Pub. L. 103–446, title XII, §1201(e)(16), Nov. 2, 1994, 108 Stat. 4686; Pub. L. 118–21, §2(a),(b), Nov. 13, 2023, 137 Stat. 109.)

Editorial Notes

Amendments

2023—Subsec. (a). Pub. L. 118–21, §2(b)(1), substituted "in writing, including an electronic request submitted through the website or online tool established under subsection (b)," for "in writing" in introductory provisions.

Subsec. (a)(3). Pub. L. 118–21, §2(b)(2)–(4), added par. (3).

Subsecs. (b), (c). Pub. L. 118–21, §2(a), added subsec. (b) and redesignated former subsec. (b) as (c).

1994—Pub. L. 103–446, §1201(e)(16)(A), (B), inserted "(a)" before "Any person desiring" and substituted "custody of the Secretary that may be disclosed under section 5701 of this title must submit to the Secretary an application in writing for such copy. The application shall state" for "custody of the Secretary, which may be disclosed under section 5701 of this title, must make written application therefor to the Secretary, stating".

Subsec. (b). Pub. L. 103–446, §1201(e)(16)(C), which directed amendment of subsec. (c) by substituting "may establish" for "is authorized to fix", was executed to subsec. (b) to reflect the probable intent of Congress, because the language sought to be amended appears in subsec. (b) and this section does not contain a subsec. (c).

1991—Pub. L. 102–40, §402(b)(1), renumbered section 3302 of this title as this section.

Pub. L. 102–83, §4(a)(2)(A)(xii), which directed amendment of subsec. (a) of this section by substituting "Secretary" for "Veterans' Administration" in two places, was executed to the undesignated first par., to reflect the probable intent of Congress.

Pub. L. 102–40, §402(d)(1), substituted "5701" for "3301" in undesignated first par.

Subsec. (b). Pub. L. 102–83, §4(b)(1), (2)(E), substituted "Secretary" for "Administrator".

Statutory Notes and Related Subsidiaries

Deadline; Establishment of Website or Online Tool

Pub. L. 118–21, §2(c), Nov. 13, 2023, 137 Stat. 109, provided that: "Not later than one year after the date of the enactment of this Act [Nov. 13, 2023], the Secretary of Veterans Affairs shall establish the website or online tool required under section 5702(b)(1) of title 38, United States Code, as added by this Act, and, to the extent practicable, the Secretary shall utilize existing online resources of the Department of Veterans Affairs for the purposes of such establishment."

§5703. Certification of records of District of Columbia

When a copy of any public record of the District of Columbia is required by the Secretary to be used in determining the eligibility of any person for benefits under laws administered by the Secretary, the official custodian of such public record shall without charge provide the applicant for such benefits or any person (including any veterans' organization) acting on the veteran's behalf or the authorized representative of the Secretary with a certified copy of such record.

(Pub. L. 85–857, Sept. 2, 1958, 72 Stat. 1237, §3303; Pub. L. 99–576, title VII, §701(78), Oct. 28, 1986, 100 Stat. 3298; renumbered §5703, Pub. L. 102–40, title IV, §402(b)(1), May 7, 1991, 105 Stat. 238; Pub. L. 102–83, §4(a)(1), (2)(A)(xiii), Aug. 6, 1991, 105 Stat. 403.)

Editorial Notes

Amendments

1991—Pub. L. 102–40 renumbered section 3303 of this title as this section.

Pub. L. 102–83 substituted "Secretary" for "Veterans' Administration" in two places and "administered by the Secretary" for "administered by the Veterans' Administration".

1986—Pub. L. 99–576 substituted "the veteran's" for "his".

§5704. Transcript of trial records

The Secretary may purchase transcripts of the record, including all evidence, of trial of litigated cases.

(Pub. L. 85–857, Sept. 2, 1958, 72 Stat. 1237, §3304; renumbered §5704, Pub. L. 102–40, title IV, §402(b)(1), May 7, 1991, 105 Stat. 238; Pub. L. 102–83, §4(b)(1), (2)(E), Aug. 6, 1991, 105 Stat. 404, 405.)

Editorial Notes

Amendments

1991—Pub. L. 102–40 renumbered section 3304 of this title as this section.

Pub. L. 102–83 substituted "Secretary" for "Administrator".

§5705. Confidentiality of medical quality-assurance records

(a) Records and documents created by the Department as part of a medical quality-assurance program (other than reports submitted pursuant to section 7311(g) ¹ of this title) are confidential and privileged and may not be disclosed to any person or entity except as provided in subsection (b) of this section.

(b)(1) Subject to paragraph (2) of this subsection, a record or document described in subsection (a) of this section shall, upon request, be disclosed as follows:

(A) To a Federal agency or private organization, if such record or document is needed by such agency or organization to perform licensing or accreditation functions related to Department health-care facilities or to perform monitoring, required by statute, of Department health-care facilities.

(B) To a Federal executive agency or provider of health-care services, if such record or document is required by such agency or provider for participation by the Department in a health-care program with such agency or provider.

(C) To a criminal or civil law enforcement governmental agency or instrumentality charged under applicable law with the protection of the public health or safety, if a qualified representative of such agency or instrumentality makes a written request that such record or document be provided for a purpose authorized by law.

(D) To health-care personnel, to the extent necessary to meet a medical emergency affecting the health or safety of any individual.

(2) The name of and other identifying information regarding any individual patient or employee of the Department, or any other individual associated with the Department for purposes of a medical quality-assurance program, contained in a record or document described in subsection (a) of this section shall be deleted from any record or document before any disclosure made under this subsection if disclosure of such name and identifying information would constitute a clearly unwarranted invasion of personal privacy.

(3) No person or entity to whom a record or document has been disclosed under this subsection shall make further disclosure of such record or document except for a purpose provided in this subsection.

(4) Nothing in this section shall be construed as authority to withhold any record or document from a committee of either House of Congress or any joint committee of Congress, if such record or document pertains to any matter within the jurisdiction of such committee or joint committee.

(5) Nothing in this section shall be construed as limiting the use of records and documents described in subsection (a) of this section within the Department (including contractors and consultants of the Department).

(6) Nothing in this section shall be construed as authorizing or requiring withholding from any person or entity the disclosure of statistical information regarding Department health-care programs (including such information as aggregate morbidity and mortality rates associated with specific activities at individual Department health-care facilities) that does not implicitly or explicitly identify individual patients or employees of the Department, or individuals who participated in the conduct of a medical quality-assurance review.

(c) For the purpose of this section, the term "medical quality-assurance program" means—

(1) with respect to any activity carried out before October 7, 1980, a Department systematic health-care review activity carried out by or for the Department for the purpose of improving the quality of medical care or improving the utilization of health-care resources in Department health-care facilities; and

(2) with respect to any activity carried out on or after October 7, 1980, a Department systematic health-care review activity designated by the Secretary to be carried out by or for the Department for either such purpose.

(d)(1) The Secretary shall prescribe regulations to carry out this section. In prescribing such regulations, the Secretary shall specify those activities carried out before October 7, 1980, which the Secretary determines meet the definition of medical quality-assurance program in subsection (c)(1) of this section and those activities which the Secretary has designated under subsection (c)(2) of this section. The Secretary shall, to the extent appropriate, incorporate into such regulations the provisions of the administrative guidelines and procedures governing such programs in existence on October 7, 1980.

(2) An activity may not be considered as having been designated as a medical quality-assurance program for the purposes of subsection (c)(2) of this section unless the designation has been specified in such regulations.

(e) Any person who, knowing that a document or record is a document or record described in subsection (a) of this section, willfully discloses such record or document except as provided for in subsection (b) of this section shall be fined not more than $5,000 in the case of a first offense and not more than $20,000 in the case of a subsequent offense.

(Added Pub. L. 96–385, title V, §505(a), Oct. 7, 1980, 94 Stat. 1535, §3305; amended Pub. L. 99–166, title II, §201, Dec. 3, 1985, 99 Stat. 949; renumbered §5705 and amended Pub. L. 102–40, title IV, §§402(b)(1), 403(b)(2), May 7, 1991, 105 Stat. 238, 239; Pub. L. 102–54, §14(d)(4), June 13, 1991, 105 Stat. 285; Pub. L. 102–83, §4(a)(2)(F), (3), (4), (b)(1), (2)(E), Aug. 6, 1991, 105 Stat. 404, 405.)

Editorial Notes

References in Text

Section 7311(g) of this title, referred to in subsec. (a), was repealed by Pub. L. 103–446, title XII, §1201(g)(5), Nov. 2, 1994, 108 Stat. 4687.

Amendments

1991—Pub. L. 102–40, §402(b)(1), renumbered section 3305 of this title as this section.

Subsec. (a). Pub. L. 102–83, §4(a)(3), (4), substituted "Department" for "Veterans' Administration".

Pub. L. 102–40, §403(b)(2), substituted "section 7311(g)" for "section 4152(b)".

Subsec. (b)(1)(A), (B). Pub. L. 102–83, §4(a)(3), (4), substituted "Department" for "Veterans' Administration" wherever appearing.

Subsec. (b)(2). Pub. L. 102–83, §4(a)(3), (4), substituted "Department" for "Veterans' Administration".

Pub. L. 102–83, §4(a)(2)(F)(i), substituted "patient or employee of the Department" for "Veterans' Administration patient or employee".

Subsec. (b)(5). Pub. L. 102–83, §4(a)(3), (4), substituted "Department" for "Veterans' Administration" in two places.

Subsec. (b)(6). Pub. L. 102–83, §4(a)(3), (4), substituted "Department" for "Veterans' Administration" in two places.

Pub. L. 102–83, §4(a)(2)(F)(ii), substituted "patients or employees of the Department," for "Veterans' Administration patients or employees".

Subsec. (c)(1). Pub. L. 102–83, §4(a)(3), (4), substituted "Department" for "Veterans' Administration" wherever appearing.

Pub. L. 102–54, §14(d)(4)(A), amended subsec. (c)(1) as in effect immediately before the enactment of Pub. L. 102–40 by substituting "October 7, 1980" for "the date of the enactment of this section".

Subsec. (c)(2). Pub. L. 102–83, §4(b)(1), (2)(E), substituted "Secretary" for "Administrator".

Pub. L. 102–83, §4(a)(3), (4), substituted "Department" for "Veterans' Administration" in two places.

Pub. L. 102–54, §14(d)(4)(A), amended subsec. (c)(2) as in effect immediately before the enactment of Pub. L. 102–40 by substituting "October 7, 1980" for "the date of the enactment of this section".

Subsec. (d)(1). Pub. L. 102–83, §4(b)(1), (2)(E), substituted "Secretary" for "Administrator" wherever appearing.

Pub. L. 102–54, §14(d)(4)(B)(i)–(iii), amended subsec. (d)(1) as in effect immediately before the enactment of Pub. L. 102–40 by substituting "The" for "Not later than 180 days after the date of the enactment of this section, the" in first sentence, substituting "October 7, 1980," for "such enactment date" in second sentence, and striking out "existing" after "provisions of the" and inserting "in existence on October 7, 1980" after "such programs" in last sentence.

Subsec. (d)(2). Pub. L. 102–54, §14(d)(4)(B)(iv), amended subsec. (d)(2) as in effect immediately before the enactment of Pub. L. 102–40 by substituting "An activity may not be considered" for "After the date on which such regulations are first prescribed, no activity shall be considered".

1985—Subsec. (a). Pub. L. 99–166, §201(1), inserted "(other than reports submitted pursuant to section 4152(b) of this title)" after "program".

Subsec. (b)(6). Pub. L. 99–166, §201(2), added par. (6).

Statutory Notes and Related Subsidiaries

Effective Date

Section effective Oct. 7, 1980, see section 601(d) of Pub. L. 96–385, set out as an Effective Date of 1980 Amendment note under section 1114 of this title.

¹ See References in Text note below.

§5706. Veterans identification card

(a) In General.—The Secretary of Veterans Affairs shall issue an identification card described in subsection (b) to each veteran who—

(1) requests such card;

(2) presents a copy of Department of Defense form DD–214 or other official document from the official military personnel file of the veteran that describes the service of the veteran; and

(3) pays the fee under subsection (c)(1).

(b) Identification Card.—An identification card described in this subsection is a card issued to a veteran that—

(1) displays a photograph of the veteran;

(2) displays the name of the veteran;

(3) explains that such card is not proof of any benefits to which the veteran is entitled to;

(4) contains an identification number that is not a social security number; and

(5) serves as proof that such veteran—

(A) served in the Armed Forces; and

(B) has a Department of Defense form DD–214 or other official document in the official military personnel file of the veteran that describes the service of the veteran.

(c) Costs of Card.—(1) The Secretary shall charge a fee to each veteran who receives an identification card issued under this section, including a replacement identification card.

(2)(A) The fee charged under paragraph (1) shall equal such amount as the Secretary determines is necessary to issue an identification card under this section.

(B) In determining the amount of the fee under subparagraph (A), the Secretary shall ensure that the total amount of fees collected under paragraph (1) equals an amount necessary to carry out this section, including costs related to any additional equipment or personnel required to carry out this section.

(C) The Secretary shall review and reassess the determination under subparagraph (A) during each five-year period in which the Secretary issues an identification card under this section.

(3) Amounts collected under this subsection shall be deposited in an account of the Department available to carry out this section. Amounts so deposited shall be—

(A) merged with amounts in such account;

(B) available in such amounts as may be provided in appropriation Acts; and

(C) subject to the same conditions and limitations as amounts otherwise in such account.

(d) Effect of Card on Benefits.—(1) An identification card issued under this section shall not serve as proof of any benefits that the veteran may be entitled to under this title.

(2) A veteran who is issued an identification card under this section shall not be entitled to any benefits under this title by reason of possessing such card.

(e) Administrative Measures.—(1) The Secretary shall ensure that any information collected or used with respect to an identification card issued under this section is appropriately secured.

(2) The Secretary may determine any appropriate procedures with respect to issuing a replacement identification card.

(3) In carrying out this section, the Secretary shall coordinate with the National Personnel Records Center.

(4) The Secretary may conduct such outreach to advertise the identification card under this section as the Secretary considers appropriate.

(f) Construction.—This section shall not be construed to affect identification cards otherwise provided by the Secretary to veterans enrolled in the health care system established under section 1705(a) of this title.

(Added Pub. L. 114–31, §2(b), July 20, 2015, 129 Stat. 428.)

Statutory Notes and Related Subsidiaries

Effective Date

Pub. L. 114–31, §2(d), July 20, 2015, 129 Stat. 430, provided that: "The amendments made by this Act [enacting this section] shall take effect on the date that is 60 days after the date of the enactment of this Act [July 20, 2015]."

Veterans Identification Card; Findings

Pub. L. 114–31, §2(a), July 20, 2015, 129 Stat. 428, provided that:

"Congress makes the following findings:

"(1) Effective on the day before the date of the enactment of this Act [July 20, 2015], veteran identification cards were issued to veterans who have either completed the statutory time-in-service requirement for retirement from the Armed Forces or who have received a medical-related discharge from the Armed Forces.

"(2) Effective on the day before the date of the enactment of this Act, a veteran who served a minimum obligated time in service, but who did not meet the criteria described in paragraph (1), did not receive a means of identifying the veteran's status as a veteran other than using the Department of Defense form DD–214 discharge papers of the veteran.

"(3) Goods, services, and promotional activities are often offered by public and private institutions to veterans who demonstrate proof of service in the military, but it is impractical for a veteran to always carry Department of Defense form DD–214 discharge papers to demonstrate such proof.

"(4) A general purpose veteran identification card made available to veterans would be useful to demonstrate the status of the veterans without having to carry and use official Department of Defense form DD–214 discharge papers.

"(5) On the day before the date of the enactment of this Act, the Department of Veterans Affairs had the infrastructure in place across the United States to produce photographic identification cards and accept a small payment to cover the cost of these cards."

SUBCHAPTER II—INVESTIGATIONS

§5711. Authority to issue subpoenas

(a) For the purposes of the laws administered by the Secretary, the Secretary, and those employees to whom the Secretary may delegate such authority, to the extent of the authority so delegated, shall have the power to—

(1) issue subpoenas for and compel the attendance of witnesses within a radius of 100 miles from the place of hearing;

(2) require the production of books, papers, documents, and other evidence;

(3) take affidavits and administer oaths and affirmations;

(4) aid claimants in the preparation and presentation of claims; and

(5) make investigations and examine witnesses upon any matter within the jurisdiction of the Department.

(b) Any person required by such subpoena to attend as a witness shall be allowed and paid the same fees and mileage as are paid witnesses in the district courts of the United States.

(Pub. L. 85–857, Sept. 2, 1958, 72 Stat. 1237, §3311; renumbered §5711, Pub. L. 102–40, title IV, §402(b)(1), May 7, 1991, 105 Stat. 238; Pub. L. 102–54, §14(d)(5)(A), June 13, 1991, 105 Stat. 286.)

Editorial Notes

Amendments

1991—Pub. L. 102–40 renumbered section 3311 of this title as this section.

Pub. L. 102–54 amended section as in effect immediately before the enactment of Pub. L. 102–40 by substituting "subpoenas" for "subpenas" in section catchline and amending text generally. Prior to amendment, text read as follows: "For the purposes of the laws administered by the Veterans' Administration, the Administrator, and those employees to whom the Administrator may delegate such authority, to the extent of the authority so delegated, shall have the power to issue subpenas for and compel the attendance of witnesses within a radius of one hundred miles from the place of hearing, to require the production of books, papers, documents, and other evidence, to take affidavits, to administer oaths and affirmations, to aid claimants in the preparation and presentation of claims, and to make investigations and examine witnesses upon any matter within the jurisdiction of the Veterans' Administration. Any person required by such subpena to attend as a witness shall be allowed and paid the same fees and mileage as are paid witnesses in the district courts of the United States."

§5712. Validity of affidavits

Any such oath, affirmation, affidavit, or examination, when certified under the hand of any such employee by whom it was administered or taken and authenticated by the seal of the Department, may be offered or used in any court of the United States and without further proof of the identity or authority of such employee shall have like force and effect as if administered or taken before a clerk of such court.

(Pub. L. 85–857, Sept. 2, 1958, 72 Stat. 1237, §3312; renumbered §5712, Pub. L. 102–40, title IV, §402(b)(1), May 7, 1991, 105 Stat. 238; Pub. L. 102–83, §4(a)(3), (4), Aug. 6, 1991, 105 Stat. 404.)

Editorial Notes

Amendments

1991—Pub. L. 102–40 renumbered section 3312 of this title as this section.

Pub. L. 102–83 substituted "Department" for "Veterans' Administration".

§5713. Disobedience to subpoena

In case of disobedience to any such subpoena, the aid of any district court of the United States may be invoked in requiring the attendance and testimony of witnesses and the production of documentary evidence, and such court within the jurisdiction of which the inquiry is carried on may, in case of contumacy or refusal to obey a subpoena issued to any officer, agent, or employee of any corporation or to any other person, issue an order requiring such corporation or other person to appear or to give evidence touching the matter in question; and any failure to obey such order of the court may be punished by such court as a contempt thereof.

(Pub. L. 85–857, Sept. 2, 1958, 72 Stat. 1237, §3313; renumbered §5713, Pub. L. 102–40, title IV, §402(b)(1), May 7, 1991, 105 Stat. 238; Pub. L. 102–54, §14(d)(6)(A), (B), June 13, 1991, 105 Stat. 286.)

Editorial Notes

Amendments

1991—Pub. L. 102–40 renumbered section 3313 of this title as this section.

Pub. L. 102–54 amended section as in effect immediately before the enactment of Pub. L. 102–40 by substituting "subpoena" for "subpena" in section catchline and in two places in text.

SUBCHAPTER III—INFORMATION SECURITY

§5721. Purpose

The purpose of the Information Security Program is to establish a program to provide security for Department information and information systems commensurate to the risk of harm, and to communicate the responsibilities of the Secretary, Under Secretaries, Assistant Secretaries, other key officials, Assistant Secretary for Information and Technology, Associate Deputy Assistant Secretary for Cyber and Information Security, and Inspector General of the Department of Veterans Affairs as outlined in the provisions of subchapter III of chapter 35 of title 44 (also known as the "Federal Information Security Management Act of 2002", which was enacted as part of the E-Government Act of 2002 (Public Law 107–347)).

(Added Pub. L. 109–461, title IX, §902(a), Dec. 22, 2006, 120 Stat. 3450.)

Editorial Notes

References in Text

The Federal Information Security Management Act of 2002, referred to in text, is the statutory short title for title III of Pub. L. 107–347, Dec. 17, 2002, 116 Stat. 2946, and for title X of Pub. L. 107–296, Nov. 25, 116 Stat. 2259. For complete classification of these Acts to the Code, see Short Title of 2002 Amendments note set out under section 101 of Title 44, Public Printing and Documents, Short Title note set out under section 101 of Title 6, Domestic Security, and Tables.

The E-Government Act of 2002, referred to in text, is Pub. L. 107–347, Dec. 17, 2002, 116 Stat. 2899. For complete classification of this Act to the Code, see Tables.

Statutory Notes and Related Subsidiaries

Regulations

Pub. L. 109–461, title IX, §902(c), Dec. 22, 2006, 120 Stat. 3460, provided that: "Not later than one year after the date of the enactment of this Act [Dec. 22, 2006], the Secretary of Veterans Affairs shall prescribe regulations to carry out subchapter III of chapter 57 of title 38, United States Code, as added by subsection (a)."

§5722. Policy

(a) In General.—The security of Department information and information systems is vital to the success of the mission of the Department. To that end, the Secretary shall establish and maintain a comprehensive Department-wide information security program to provide for the development and maintenance of cost-effective security controls needed to protect Department information, in any media or format, and Department information systems.

(b) Elements.—The Secretary shall ensure that the Department information security program includes the following elements:

(1) Periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the Department.

(2) Policies and procedures that—

(A) are based on risk assessments;

(B) cost-effectively reduce security risks to an acceptable level; and

(C) ensure that information security is addressed throughout the life cycle of each Department information system.

(3) Selection and effective implementation of minimum, mandatory technical, operational, and management security controls, or other compensating countermeasures, to protect the confidentiality, integrity, and availability of each Department system and its information.

(4) Subordinate plans for providing adequate security for networks, facilities, systems, or groups of information systems, as appropriate.

(5) Annual security awareness training for all Department employees, contractors, and all other users of VA sensitive data and Department information systems that identifies the information security risks associated with the activities of such employees, contractors, and users and the responsibilities of such employees, contractors, and users to comply with Department policies and procedures designed to reduce such risks.

(6) Periodic testing and evaluation of the effectiveness of security controls based on risk, including triennial certification testing of all management, operational, and technical controls, and annual testing of a subset of those controls for each Department system.

(7) A process for planning, developing, implementing, evaluating, and documenting remedial actions to address deficiencies in information security policies, procedures, and practices.

(8) Procedures for detecting, immediately reporting, and responding to security incidents, including mitigating risks before substantial damage is done as well as notifying and consulting with the US-Computer Emergency Readiness Team of the Department of Homeland Security, law enforcement agencies, the Inspector General of the Department, and other offices as appropriate.

(9) Plans and procedures to ensure continuity of operations for Department systems.

(c) Compliance With Certain Requirements.—The Secretary shall comply with the provisions of subchapter III of chapter 35 of title 44 and other related information security requirements promulgated by the National Institute of Standards and Technology and the Office of Management and Budget that define Department information system mandates.

(Added Pub. L. 109–461, title IX, §902(a), Dec. 22, 2006, 120 Stat. 3450.)

§5723. Responsibilities

(a) Secretary of Veterans Affairs.—In accordance with the provisions of subchapter III of chapter 35 of title 44, the Secretary is responsible for the following:

(1) Ensuring that the Department adopts a Department-wide information security program and otherwise complies with the provisions of subchapter III of chapter 35 of title 44 and other related information security requirements.

(2) Ensuring that information security protections are commensurate with the risk and magnitude of the potential harm to Department information and information systems resulting from unauthorized access, use, disclosure, disruption, modification, or destruction.

(3) Ensuring that information security management processes are integrated with Department strategic and operational planning processes.

(4) Ensuring that the Under Secretaries, Assistant Secretaries, and other key officials of the Department provide adequate security for the information and information systems under their control.

(5) Ensuring enforcement and compliance with the requirements imposed on the Department under the provisions of subchapter III of chapter 35 of title 44.

(6) Ensuring that the Department has trained program and staff office personnel sufficient to assist in complying with all the provisions of subchapter III of chapter 35 of title 44 and other related information security requirements.

(7) Ensuring that the Assistant Secretary for Information and Technology, in coordination with the Under Secretaries, Assistant Secretaries, and other key officials of the Department report to Congress, the Office of Management and Budget, and other entities as required by law and Executive Branch direction on the effectiveness of the Department information security program, including remedial actions.

(8) Notifying officials other than officials of the Department of data breaches when required under this subchapter.

(9) Ensuring that the Assistant Secretary for Information and Technology has the authority and control necessary to develop, approve, implement, integrate, and oversee the policies, procedures, processes, activities, and systems of the Department relating to subchapter III of chapter 35 of title 44, including the management of all related mission applications, information resources, personnel, and infrastructure.

(10) Submitting to the Committees on Veterans' Affairs of the Senate and House of Representatives, the Committee on Government Reform of the House of Representatives, and the Committee on Homeland Security and Governmental Affairs of the Senate, not later than March 1 each year, a report on the compliance of the Department with subchapter III of chapter 35 of title 44, with the information in such report displayed in the aggregate and separately for each Administration, office, and facility of the Department.

(11) Taking appropriate action to ensure that the budget for any fiscal year, as submitted by the President to Congress under section 1105 of title 31, sets forth separately the amounts required in the budget for such fiscal year for compliance by the Department with Federal law and regulations governing information security, including this subchapter and subchapter III of chapter 35 of title 44.

(12) Providing notice to the Director of the Office of Management and Budget, the Inspector General of the Department, and such other Federal agencies as the Secretary considers appropriate of a presumptive data breach of which notice is provided the Secretary under subsection (b)(16) if, in the opinion of the Assistant Secretary for Information and Technology, the breach involves the information of twenty or more individuals.

(b) Assistant Secretary for Information and Technology.—The Assistant Secretary for Information and Technology, as the Chief Information Officer of the Department, is responsible for the following:

(1) Establishing, maintaining, and monitoring Department-wide information security policies, procedures, control techniques, training, and inspection requirements as elements of the Department information security program.

(2) Issuing policies and handbooks to provide direction for implementing the elements of the information security program to all Department organizations.

(3) Approving all policies and procedures that are related to information security for those areas of responsibility that are currently under the management and the oversight of other Department organizations.

(4) Ordering and enforcing Department-wide compliance with and execution of any information security policy.

(5) Establishing minimum mandatory technical, operational, and management information security control requirements for each Department system, consistent with risk, the processes identified in standards of the National Institute of Standards and Technology, and the responsibilities of the Assistant Secretary to operate and maintain all Department systems currently creating, processing, collecting, or disseminating data on behalf of Department information owners.

(6) Establishing standards for access to Department information systems by organizations and individual employees, and to deny access as appropriate.

(7) Directing that any incidents of failure to comply with established information security policies be immediately reported to the Assistant Secretary.

(8) Reporting any compliance failure or policy violation directly to the appropriate Under Secretary, Assistant Secretary, or other key official of the Department for appropriate administrative or disciplinary action.

(9) Reporting any compliance failure or policy violation directly to the appropriate Under Secretary, Assistant Secretary, or other key official of the Department along with taking action to correct the failure or violation.

(10) Requiring any key official of the Department who is so notified to report to the Assistant Secretary with respect to an action to be taken in response to any compliance failure or policy violation reported by the Assistant Secretary.

(11) Ensuring that the Chief Information Officers and Information Security Officers of the Department comply with all cyber security directives and mandates, and ensuring that these staff members have all necessary authority and means to direct full compliance with such directives and mandates relating to the acquisition, operation, maintenance, or use of information technology resources from all facility staff.

(12) Establishing the VA National Rules of Behavior for appropriate use and protection of the information which is used to support Department missions and functions.

(13) Establishing and providing supervision over an effective incident reporting system.

(14) Submitting to the Secretary, at least once every quarter, a report on any deficiency in the compliance with subchapter III of chapter 35 of title 44 of the Department or any Administration, office, or facility of the Department.

(15) Reporting immediately to the Secretary on any significant deficiency in the compliance described by paragraph (14).

(16) Providing immediate notice to the Secretary of any presumptive data breach.

(c) Associate Deputy Assistant Secretary for Cyber and Information Security.—In accordance with the provisions of subchapter III of chapter 35 of title 44, the Associate Deputy Assistant Secretary for Cyber and Information Security, as the Senior Information Security Officer of the Department, is responsible for carrying out the responsibilities of the Assistant Secretary for Information and Technology under the provisions of subchapter III of chapter 35 of title 44, as set forth in subsection (b).

(d) Department Information Owners.—In accordance with the criteria of the Centralized IT Management System, Department information owners are responsible for the following:

(1) Providing assistance to the Assistant Secretary for Information and Technology regarding the security requirements and appropriate level of security controls for the information system or systems where sensitive personal information is currently created, collected, processed, disseminated, or subject to disposal.

(2) Determining who has access to the system or systems containing sensitive personal information, including types of privileges and access rights.

(3) Ensuring the VA National Rules of Behavior is signed on an annual basis and enforced by all system users to ensure appropriate use and protection of the information which is used to support Department missions and functions.

(4) Assisting the Assistant Secretary for Information and Technology in the identification and assessment of the common security controls for systems where their information resides.

(5) Providing assistance to Administration and staff office personnel involved in the development of new systems regarding the appropriate level of security controls for their information.

(e) Other Key Officials.—In accordance with the provisions of subchapter III of chapter 35 of title 44, the Under Secretaries, Assistant Secretaries, and other key officials of the Department are responsible for the following:

(1) Implementing the policies, procedures, practices, and other countermeasures identified in the Department information security program that comprise activities that are under their day-to-day operational control or supervision.

(2) Periodically testing and evaluating information security controls that comprise activities that are under their day-to-day operational control or supervision to ensure effective implementation.

(3) Providing a plan of action and milestones to the Assistant Secretary for Information and Technology on at least a quarterly basis detailing the status of actions being taken to correct any security compliance failure or policy violation.

(4) Complying with the provisions of subchapter III of chapter 35 of title 44 and other related information security laws and requirements in accordance with orders of the Assistant Secretary for Information and Technology to execute the appropriate security controls commensurate to responding to a security bulletin of the Security Operations Center of the Department, with such orders to supersede and take priority over all operational tasks and assignments and be complied with immediately.

(5) Ensuring that—

(A) all employees within their organizations take immediate action to comply with orders from the Assistant Secretary for Information and Technology to—

(i) mitigate the impact of any potential security vulnerability;

(ii) respond to a security incident; or

(iii) implement the provisions of a bulletin or alert of the Security Operations Center; and

(B) organizational managers have all necessary authority and means to direct full compliance with such orders from the Assistant Secretary.

(6) Ensuring the VA National Rules of Behavior is signed and enforced by all system users to ensure appropriate use and protection of the information which is used to support Department missions and functions on an annual basis.

(f) Users of Department Information and Information Systems.—Users of Department information and information systems are responsible for the following:

(1) Complying with all Department information security program policies, procedures, and practices.

(2) Attending security awareness training on at least an annual basis.

(3) Reporting all security incidents immediately to the Information Security Officer of the system or facility and to their immediate supervisor.

(4) Complying with orders from the Assistant Secretary for Information and Technology directing specific activities when a security incident occurs.

(5) Signing an acknowledgment that they have read, understand, and agree to abide by the VA National Rules of Behavior on an annual basis.

(g) Inspector General of Department of Veterans Affairs.—In accordance with the provisions of subchapter III of chapter 35 of title 44, the Inspector General of the Department is responsible for the following:

(1) Conducting an annual audit of the Department information security program.

(2) Submitting an independent annual report to the Office of Management and Budget on the status of the Department information security program, based on the results of the annual audit.

(3) Conducting investigations of complaints and referrals of violations as considered appropriate by the Inspector General.

(Added Pub. L. 109–461, title IX, §902(a), Dec. 22, 2006, 120 Stat. 3451; amended Pub. L. 111–275, title X, §1001(m)(1), Oct. 13, 2010, 124 Stat. 2897.)

Editorial Notes

Amendments

2010—Subsec. (g)(2). Pub. L. 111–275 inserted "the" before "Department".

Statutory Notes and Related Subsidiaries

Change of Name

Committee on Government Reform of House of Representatives changed to Committee on Oversight and Government Reform of House of Representatives by House Resolution No. 6, One Hundred Tenth Congress, Jan. 5, 2007. Committee on Oversight and Government Reform of House of Representatives changed to Committee on Oversight and Reform of House of Representatives by House Resolution No. 6, One Hundred Sixteenth Congress, Jan. 9, 2019. Committee on Oversight and Reform of House of Representatives changed to Committee on Oversight and Accountability of House of Representatives by House Resolution No. 5, One Hundred Eighteenth Congress, Jan. 9, 2023.

§5724. Provision of credit protection and other services

(a) Independent Risk Analysis.—(1) In the event of a data breach with respect to sensitive personal information that is processed or maintained by the Secretary, the Secretary shall ensure that, as soon as possible after the data breach, a non-Department entity or the Office of Inspector General of the Department conducts an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach.

(2) If the Secretary determines, based on the findings of a risk analysis conducted under paragraph (1), that a reasonable risk exists for the potential misuse of sensitive personal information involved in a data breach, the Secretary shall provide credit protection services in accordance with the regulations prescribed by the Secretary under this section.

(b) Regulations.—Not later than 180 days after the date of the enactment of the Veterans Benefits, Health Care, and Information Technology Act of 2006, the Secretary shall prescribe interim regulations for the provision of the following in accordance with subsection (a)(2):

(1) Notification.

(2) Data mining.

(3) Fraud alerts.

(4) Data breach analysis.

(5) Credit monitoring.

(6) Identity theft insurance.

(7) Credit protection services.

(c) Report.—(1) For each data breach with respect to sensitive personal information processed or maintained by the Secretary, the Secretary shall promptly submit to the Committees on Veterans' Affairs of the Senate and House of Representatives a report containing the findings of any independent risk analysis conducted under subsection (a)(1), any determination of the Secretary under subsection (a)(2), and a description of any services provided pursuant to subsection (b).

(2) In the event of a data breach with respect to sensitive personal information processed or maintained by the Secretary that is the sensitive personal information of a member of the Army, Navy, Air Force, Marine Corps, or Space Force or a civilian officer or employee of the Department of Defense, the Secretary shall submit the report required under paragraph (1) to the Committee on Armed Services of the Senate and the Committee on Armed Services of the House of Representatives in addition to the Committees on Veterans' Affairs of the Senate and House of Representatives.

(Added Pub. L. 109–461, title IX, §902(a), Dec. 22, 2006, 120 Stat. 3455; amended Pub. L. 116–283, div. A, title IX, §926(h), Jan. 1, 2021, 134 Stat. 3831.)

Editorial Notes

References in Text

The date of the enactment of the Veterans Benefits, Health Care, and Information Technology Act of 2006, referred to in subsec. (b), is the date of enactment of Pub. L. 109–461, which was approved Dec. 22, 2006.

Amendments

2021—Subsec. (c)(2). Pub. L. 116–283 substituted "Marine Corps, or Space Force" for "or Marine Corps".

§5725. Contracts for data processing or maintenance

(a) Contract Requirements.—If the Secretary enters into a contract for the performance of any Department function that requires access to sensitive personal information, the Secretary shall require as a condition of the contract that—

(1) the contractor shall not, directly or through an affiliate of the contractor, disclose such information to any other person unless the disclosure is lawful and is expressly permitted under the contract;

(2) the contractor, or any subcontractor for a subcontract of the contract, shall promptly notify the Secretary of any data breach that occurs with respect to such information.

(b) Liquidated Damages.—Each contract subject to the requirements of subsection (a) shall provide for liquidated damages to be paid by the contractor to the Secretary in the event of a data breach with respect to any sensitive personal information processed or maintained by the contractor or any subcontractor under that contract.

(c) Provision of Credit Protection Services.—Any amount collected by the Secretary under subsection (b) shall be deposited in or credited to the Department account from which the contractor was paid and shall remain available for obligation without fiscal year limitation exclusively for the purpose of providing credit protection services pursuant to section 5724(b) of this title.

(Added Pub. L. 109–461, title IX, §902(a), Dec. 22, 2006, 120 Stat. 3456.)

§5726. Reports and notice to Congress on data breaches

(a) Quarterly Reports.—(1) Not later than 30 days after the last day of a fiscal quarter, the Secretary shall submit to the Committees on Veterans' Affairs of the Senate and House of Representatives a report on any data breach with respect to sensitive personal information processed or maintained by the Department that occurred during that quarter.

(2) Each report submitted under paragraph (1) shall identify, for each data breach covered by the report—

(A) the Administration and facility of the Department responsible for processing or maintaining the sensitive personal information involved in the data breach; and

(B) the status of any remedial or corrective action with respect to the data breach.

(b) Notification of Significant Data Breaches.—(1) In the event of a data breach with respect to sensitive personal information processed or maintained by the Secretary that the Secretary determines is significant, the Secretary shall provide notice of such breach to the Committees on Veterans' Affairs of the Senate and House of Representatives.

(2) In the event of a data breach with respect to sensitive personal information processed or maintained by the Secretary that is the sensitive personal information of a member of the Army, Navy, Air Force, or Marine Corps or a civilian officer or employee of the Department of Defense that the Secretary determines is significant under paragraph (1), the Secretary shall provide the notice required under paragraph (1) to the Committee on Armed Services of the Senate and the Committee on Armed Services of the House of Representatives in addition to the Committees on Veterans' Affairs of the Senate and House of Representatives.

(3) Notice under paragraphs (1) and (2) shall be provided promptly following the discovery of such a data breach and the implementation of any measures necessary to determine the scope of the breach, prevent any further breach or unauthorized disclosures, and reasonably restore the integrity of the data system.

(Added Pub. L. 109–461, title IX, §902(a), Dec. 22, 2006, 120 Stat. 3457.)

§5727. Definitions

In this subchapter:

(1) Availability.—The term "availability" means ensuring timely and reliable access to and use of information.

(2) Confidentiality.—The term "confidentiality" means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.

(3) Control techniques.—The term "control techniques" means methods for guiding and controlling the operations of information systems to ensure adherence to the provisions of subchapter III of chapter 35 of title 44 and other related information security requirements.

(4) Data breach.—The term "data breach" means the loss, theft, or other unauthorized access, other than those incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data.

(5) Data breach analysis.—The term "data breach analysis" means the process used to determine if a data breach has resulted in the misuse of sensitive personal information.

(6) Fraud resolution systems.—The term "fraud resolution services" means services to assist an individual in the process of recovering and rehabilitating the credit of the individual after the individual experiences identity theft.

(7) Identity theft.—The term "identity theft" has the meaning given such term under section 603 of the Fair Credit Reporting Act (15 U.S.C. 1681a).

(8) Identity theft insurance.—The term "identity theft insurance" means any insurance policy that pays benefits for costs, including travel costs, notary fees, and postage costs, lost wages, and legal fees and expenses associated with efforts to correct and ameliorate the effects and results of identity theft of the insured individual.

(9) Information owner.—The term "information owner" means an agency official with statutory or operational authority for specified information and responsibility for establishing the criteria for its creation, collection, processing, dissemination, or disposal, which responsibilities may extend to interconnected systems or groups of interconnected systems.

(10) Information resources.—The term "information resources" means information in any medium or form and its related resources, such as personnel, equipment, funds, and information technology.

(11) Information security.—The term "information security" means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.

(12) Information security requirements.—The term "information security requirements" means information security requirements promulgated in accordance with law, or directed by the Secretary of Commerce, the National Institute of Standards and Technology, and the Office of Management and Budget, and, as to national security systems, the President.

(13) Information system.—The term "information system" means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information, whether automated or manual.

(14) Integrity.—The term "integrity" means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

(15) National security system.—The term "national security system" means an information system that is protected at all times by policies and procedures established for the processing, maintenance, use, sharing, dissemination or disposition of information that has been specifically authorized under criteria established by statute or Executive Order to be kept classified in the interest of national defense or foreign policy.

(16) Plan of action and milestones.—The term "plan of action and milestones", means a plan used as a basis for the quarterly reporting requirements of the Office of Management and Budget that includes the following information:

(A) A description of the security weakness.

(B) The identity of the office or organization responsible for resolving the weakness.

(C) An estimate of resources required to resolve the weakness by fiscal year.

(D) The scheduled completion date.

(E) Key milestones with estimated completion dates.

(F) Any changes to the original key milestone date.

(G) The source that identified the weakness.

(H) The status of efforts to correct the weakness.

(17) Principal credit reporting agency.—The term "principal credit reporting agency" means a consumer reporting agency as described in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)).

(18) Security incident.—The term "security incident" means an event that has, or could have, resulted in loss or damage to Department assets, or sensitive information, or an action that breaches Department security procedures.

(19) Sensitive personal information.—The term "sensitive personal information", with respect to an individual, means any information about the individual maintained by an agency, including the following:

(A) Education, financial transactions, medical history, and criminal or employment history.

(B) Information that can be used to distinguish or trace the individual's identity, including name, social security number, date and place of birth, mother's maiden name, or biometric records.

(20) Subordinate plan.—The term "subordinate plan", also referred to as a "system security plan", means a plan that defines the security controls that are either planned or implemented for networks, facilities, systems, or groups of systems, as appropriate, within a specific accreditation boundary.

(21) Training.—The term "training" means a learning experience in which an individual is taught to execute a specific information security procedure or understand the information security common body of knowledge.

(22) Va national rules of behavior.—The term "VA National Rules of Behavior" means a set of Department rules that describes the responsibilities and expected behavior of personnel with regard to information system usage.

(23) Va sensitive data.—The term "VA sensitive data" means all Department data, on any storage media or in any form or format, which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information and includes information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, and records about individuals requiring protection under applicable confidentiality provisions.

(Added Pub. L. 109–461, title IX, §902(a), Dec. 22, 2006, 120 Stat. 3457; amended Pub. L. 111–275, title X, §1001(m)(2), Oct. 13, 2010, 124 Stat. 2897.)

Editorial Notes

Amendments

2010—Par. (20). Pub. L. 111–275 substituted "plan that defines" for "subordinate plan defines".

§5728. Authorization of appropriations

There are authorized to be appropriated to carry out this subchapter such sums as may be necessary for each fiscal year.

(Added Pub. L. 109–461, title IX, §902(a), Dec. 22, 2006, 120 Stat. 3460.)