U.S Department of Veterans Affair

Privacy and Application Data Security

 

The VHA Privacy and Application Security offices ensure that mobile applications adhere to Privacy regulations and statutes as well as VA policy. We use the Privacy and Security checklist to determine if data is stored, transmitted or entered by the user, provider or employee. We also determine if there is sensitive information like Private Health Information (PHI) or Personally identifiable information (PII) stored on the App. If it is, the Data Security branch determines how the App protects the information. For an overview of the Healthcare Security process, please review this presentation.

Privacy Issues

Here are examples of the issues we examine to see how your App handles Privacy issues.

Apps for Veterans:

  • If the App retrieves VA Data from a VA database and stores it on the mobile device, an end user license agreement (EULA) states that the Veteran owns the locally stored data.
  • If the App retrieves VA data from VA database but it is not stored on the Veteran’s device, the App's EULA states that the Veteran is not being provided a copy but is only being given access to the data through the device.
  • If the App does not transmit a Veteran's self-entered data to VA, it securely stores it on the device as determined by an Information Security Officer.
  • If the App transmits a Veteran's self-entered data to VA it does so in a manner that is covered by a Privacy Act system of records. The App's EULA states that the VA will receive the data entered by the user on the device.

Apps for Providers:

  • If the App transmits data from a Provider to VA, it does so in a manner that is covered by a Privacy Act system of records like the Mobile Application Environment (MAE) -VA 173VA005OP2.
  • If the App displays any VA data retrieved from VA database and displayed to VA Providers in performance of their official duties, it does not store that data on the device.
  • If the App retrieves VA data from VA database that a VA Provider modifies and then transmits to VA for inclusion, the record arrives in the appropriate Federal Record or in a Privacy Act System of Records. (For example, 24VA10P2)