(a) Veterans trust VA to promote and respect their privacy, confidentiality, and autonomy in the services we provide or support. We earn this trust when we adhere to VA's core values of integrity, commitment, advocacy, respect, and excellence (commonly referred to as ICARE).
(b) Consistent with the values listed in paragraph (a) of this section, VA must promote and ensure responsible practices whenever veteran data is accessed, shared, or used by VA or its partners. Veteran data is accessed, shared, and used for many purposes which are developing at an unparalleled pace. While the regulatory and policy framework that governs data access, sharing, and use sets important standards about what is required with respect to data access, sharing, and use, it does not always provide definitive guidance about how VA should manage access, sharing, or use of veteran data when regulation and policy permit organizational discretion, except in cases where there are already established federally protected classes.
(c) The following principles establish an overarching ethical framework for all individuals, groups, or entities to apply when managing access to, sharing of, or use of VA veteran data. All parties who have or obtain access to and use VA veteran data are encouraged to carefully consider and apply this principle-based ethical framework when not contradicted by other specific clinical, technical, fiscal, regulatory, professional, industry, and other standards. VA and its partners must apply this principle-based ethical framework when accessing, sharing or using veteran data unless prohibited by law. Consistent application of this framework will ensure the integrity and trustworthiness that veterans and other stakeholders expect and deserve when veteran data is accessed, shared, or used.
(1) Principle 1. The primary goal for use of veteran data is for the good of veterans. Veteran data is personal and sensitive. Use of veteran data by VA and its partners must have the primary goal of supporting and improving overall veteran health and wellness, and the delivery of benefits and services to veterans at large.
(2) Principle 2. Veteran data should be used in a manner that ensures equity to veterans. The proper use of veteran data by VA and its partners must help to ensure equity so that no veteran population is disproportionally excluded from the benefits of, or burdened by the risks of, data use because of race, color, religion, national origin, limited English proficiency, age, sex (including gender identity and transgender status), sexual orientation, pregnancy, marital and parental status, disability, or genetic information.
(3) Principle 3. The sharing of veteran data should be based on the veteran's meaningful choice. When regulation and policy permit organizational discretion, the sharing of veteran data by VA and its partners should be based on the veteran's meaningful choice to permit sharing their information for that specific purpose; exceptions for sharing based on a veteran's meaningful choice are treatment, payment, health care operations, public health and safety reporting, and when required by law. Timely, clear, relevant, concise, complete, and comprehensible information must be provided to the veteran to serve as a basis for their free and informed choice. A veteran's preference to change their mind about sharing or not sharing their information should be facilitated, with the understanding that information that has already been shared may be unable to be retrieved or retracted. A veteran's choice(s) about data sharing must not be the basis to deny care or benefits to which they are otherwise entitled. Meaningful choice may be expressed in many forms and a written requirement is not implied.
(4) Principle 4. Access to and exchange of veteran data should be transparent and consistent. Access to and the exchange of veteran data should be transparent and consistent, and in accordance with all applicable standards. For the Veterans Health Administration (VHA), this includes practices described in VHA's Notice of Privacy Practices. Data should only be shared or accessed for approved and specified purposes; there should be no unspecified use, or re-use of veteran data without VA agreement or approval. The release of veteran data for purposes other than those which were originally approved or specified, such as in an agreement, requires a separate approval and commitment of all parties to follow these principles. Failure to ensure such protections is a breach of veteran trust and confidentiality.
(5) Principle 5. De-identified veteran data should not be reidentified without authorization. Parties who receive de-identified veteran data must not attempt to re-identify the data in any manner without prior VA agreement or approval. VA considers unauthorized re-identification a breach of veteran trust and confidentiality.
(6) Principle 6. There is an obligation of reciprocity for gains made using veteran data. A financial or other gain from innovation by non-VA parties that uses veteran data obtained from VA creates a moral and tangible obligation of reciprocity to share this gain with veterans, veterans' service organizations, and/or veterans' causes. For example, parties could fulfill this obligation by giving back to the veteran community through support of veteran causes or organizations, by facilitating veteran access to innovations to which veteran data contributed, or, at a minimum, by publicly recognizing veteran contributions to the gain or innovation. Veteran data must not be sold by VA or its partners.
(7) Principle 7. All parties are obligated to ensure data security, quality and integrity of veteran data. All parties who send, receive, or use VA veteran data must ensure data security, quality, and integrity. In other words, that the data remain secure; accurate; complete; and representative of the data quality, meaning, and integrity when it was received or accessed from VA. Access to data by VA and its partners should be limited to the minimum amount needed to accomplish the stated purpose and should be terminated when no longer required. Data that are not necessary to accomplish the purpose for which it was obtained should not be retained longer than legally required. Transparency about breaches in data security, quality or integrity is also essential to promote trust and minimize impacts to veterans.
(8) Principle 8. Veterans should be able to access to their own information. Veterans must have user-friendly access to their own information. Access may be through electronic means such as mobile applications, web portals, or through convenient written or in-person processes.
(9) Principle 9. Veterans have the right to request amendments to their own information. Veterans must be able to request amendments to information in their VA records if they feel it is untimely, inaccurate, incomplete, or not relevant.
(d) As used in this section, de-identified veteran data means information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information is individually identifiable information or can be used by any means to identify an individual. For protected health information (PHI), veteran data is not de-identified unless in compliance with 45 CFR parts 160 and 164.
[87 FR 40452, July 7, 2022]