Compliance

Privacy compliance at VA comprises many individual components such as policy and procedural updates, which ensure VA is conforming to all applicable privacy laws. VA Privacy Service administers programs in accordance with the Privacy Act of 1974, E-Government Act of 2002, Health Insurance Portability and Accountability Act (HIPAA) and NIST 800-53, Revision 4, Security and Privacy Controls for Information Systems and Organizations.

VA uses Privacy Impact Assessments, Computer Matching Agreements, and System of Records Notices as part of its compliance process.

Privacy Impact Assessments

Section 208 of the E-Government Act of 2002 requires Privacy Impact Assessments (PIAs) from all federal government agencies that develop or procure new information technology involving the collection, maintenance or dissemination of information in identifiable form. This is also true of agencies making substantial changes to existing information technology that manages information in identifiable form.

A PIA is an analysis of how information in identifiable form is collected, stored, protected, shared and managed. Its purpose is to demonstrate that system owners and developers have incorporated privacy protections throughout the entire life cycle of a system. The E-Government Act of 2002 requires agencies to make PIAs publicly available except when an agency in its discretion determines publication of the PIA would raise security concerns, like revealing classified (i.e., national security) information, or sensitive information (e.g., potentially damaging to a national interest, law enforcement effort or competitive business interest contained in the assessment).